<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
    "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<meta http-equiv="Content-Type" content="application/xhtml+xml; charset=UTF-8" />
<meta name="generator" content="AsciiDoc 8.6.9" />
<title>Snort++ User Manual</title>
<style type="text/css">
/* Shared CSS for AsciiDoc xhtml11 and html5 backends */

/* Default font. */
body {
  font-family: Georgia,serif;
}

/* Title font. */
h1, h2, h3, h4, h5, h6,
div.title, caption.title,
thead, p.table.header,
#toctitle,
#author, #revnumber, #revdate, #revremark,
#footer {
  font-family: Arial,Helvetica,sans-serif;
}

body {
  margin: 1em 5% 1em 5%;
}

a {
  color: blue;
  text-decoration: underline;
}
a:visited {
  color: fuchsia;
}

em {
  font-style: italic;
  color: navy;
}

strong {
  font-weight: bold;
  color: #083194;
}

h1, h2, h3, h4, h5, h6 {
  color: #527bbd;
  margin-top: 1.2em;
  margin-bottom: 0.5em;
  line-height: 1.3;
}

h1, h2, h3 {
  border-bottom: 2px solid silver;
}
h2 {
  padding-top: 0.5em;
}
h3 {
  float: left;
}
h3 + * {
  clear: left;
}
h5 {
  font-size: 1.0em;
}

div.sectionbody {
  margin-left: 0;
}

hr {
  border: 1px solid silver;
}

p {
  margin-top: 0.5em;
  margin-bottom: 0.5em;
}

ul, ol, li > p {
  margin-top: 0;
}
ul > li     { color: #aaa; }
ul > li > * { color: black; }

.monospaced, code, pre {
  font-family: "Courier New", Courier, monospace;
  font-size: inherit;
  color: navy;
  padding: 0;
  margin: 0;
}
pre {
  white-space: pre-wrap;
}

#author {
  color: #527bbd;
  font-weight: bold;
  font-size: 1.1em;
}
#email {
}
#revnumber, #revdate, #revremark {
}

#footer {
  font-size: small;
  border-top: 2px solid silver;
  padding-top: 0.5em;
  margin-top: 4.0em;
}
#footer-text {
  float: left;
  padding-bottom: 0.5em;
}
#footer-badges {
  float: right;
  padding-bottom: 0.5em;
}

#preamble {
  margin-top: 1.5em;
  margin-bottom: 1.5em;
}
div.imageblock, div.exampleblock, div.verseblock,
div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock,
div.admonitionblock {
  margin-top: 1.0em;
  margin-bottom: 1.5em;
}
div.admonitionblock {
  margin-top: 2.0em;
  margin-bottom: 2.0em;
  margin-right: 10%;
  color: #606060;
}

div.content { /* Block element content. */
  padding: 0;
}

/* Block element titles. */
div.title, caption.title {
  color: #527bbd;
  font-weight: bold;
  text-align: left;
  margin-top: 1.0em;
  margin-bottom: 0.5em;
}
div.title + * {
  margin-top: 0;
}

td div.title:first-child {
  margin-top: 0.0em;
}
div.content div.title:first-child {
  margin-top: 0.0em;
}
div.content + div.title {
  margin-top: 0.0em;
}

div.sidebarblock > div.content {
  background: #ffffee;
  border: 1px solid #dddddd;
  border-left: 4px solid #f0f0f0;
  padding: 0.5em;
}

div.listingblock > div.content {
  border: 1px solid #dddddd;
  border-left: 5px solid #f0f0f0;
  background: #f8f8f8;
  padding: 0.5em;
}

div.quoteblock, div.verseblock {
  padding-left: 1.0em;
  margin-left: 1.0em;
  margin-right: 10%;
  border-left: 5px solid #f0f0f0;
  color: #888;
}

div.quoteblock > div.attribution {
  padding-top: 0.5em;
  text-align: right;
}

div.verseblock > pre.content {
  font-family: inherit;
  font-size: inherit;
}
div.verseblock > div.attribution {
  padding-top: 0.75em;
  text-align: left;
}
/* DEPRECATED: Pre version 8.2.7 verse style literal block. */
div.verseblock + div.attribution {
  text-align: left;
}

div.admonitionblock .icon {
  vertical-align: top;
  font-size: 1.1em;
  font-weight: bold;
  text-decoration: underline;
  color: #527bbd;
  padding-right: 0.5em;
}
div.admonitionblock td.content {
  padding-left: 0.5em;
  border-left: 3px solid #dddddd;
}

div.exampleblock > div.content {
  border-left: 3px solid #dddddd;
  padding-left: 0.5em;
}

div.imageblock div.content { padding-left: 0; }
span.image img { border-style: none; vertical-align: text-bottom; }
a.image:visited { color: white; }

dl {
  margin-top: 0.8em;
  margin-bottom: 0.8em;
}
dt {
  margin-top: 0.5em;
  margin-bottom: 0;
  font-style: normal;
  color: navy;
}
dd > *:first-child {
  margin-top: 0.1em;
}

ul, ol {
    list-style-position: outside;
}
ol.arabic {
  list-style-type: decimal;
}
ol.loweralpha {
  list-style-type: lower-alpha;
}
ol.upperalpha {
  list-style-type: upper-alpha;
}
ol.lowerroman {
  list-style-type: lower-roman;
}
ol.upperroman {
  list-style-type: upper-roman;
}

div.compact ul, div.compact ol,
div.compact p, div.compact p,
div.compact div, div.compact div {
  margin-top: 0.1em;
  margin-bottom: 0.1em;
}

tfoot {
  font-weight: bold;
}
td > div.verse {
  white-space: pre;
}

div.hdlist {
  margin-top: 0.8em;
  margin-bottom: 0.8em;
}
div.hdlist tr {
  padding-bottom: 15px;
}
dt.hdlist1.strong, td.hdlist1.strong {
  font-weight: bold;
}
td.hdlist1 {
  vertical-align: top;
  font-style: normal;
  padding-right: 0.8em;
  color: navy;
}
td.hdlist2 {
  vertical-align: top;
}
div.hdlist.compact tr {
  margin: 0;
  padding-bottom: 0;
}

.comment {
  background: yellow;
}

.footnote, .footnoteref {
  font-size: 0.8em;
}

span.footnote, span.footnoteref {
  vertical-align: super;
}

#footnotes {
  margin: 20px 0 20px 0;
  padding: 7px 0 0 0;
}

#footnotes div.footnote {
  margin: 0 0 5px 0;
}

#footnotes hr {
  border: none;
  border-top: 1px solid silver;
  height: 1px;
  text-align: left;
  margin-left: 0;
  width: 20%;
  min-width: 100px;
}

div.colist td {
  padding-right: 0.5em;
  padding-bottom: 0.3em;
  vertical-align: top;
}
div.colist td img {
  margin-top: 0.3em;
}

@media print {
  #footer-badges { display: none; }
}

#toc {
  margin-bottom: 2.5em;
}

#toctitle {
  color: #527bbd;
  font-size: 1.1em;
  font-weight: bold;
  margin-top: 1.0em;
  margin-bottom: 0.1em;
}

div.toclevel0, div.toclevel1, div.toclevel2, div.toclevel3, div.toclevel4 {
  margin-top: 0;
  margin-bottom: 0;
}
div.toclevel2 {
  margin-left: 2em;
  font-size: 0.9em;
}
div.toclevel3 {
  margin-left: 4em;
  font-size: 0.9em;
}
div.toclevel4 {
  margin-left: 6em;
  font-size: 0.9em;
}

span.aqua { color: aqua; }
span.black { color: black; }
span.blue { color: blue; }
span.fuchsia { color: fuchsia; }
span.gray { color: gray; }
span.green { color: green; }
span.lime { color: lime; }
span.maroon { color: maroon; }
span.navy { color: navy; }
span.olive { color: olive; }
span.purple { color: purple; }
span.red { color: red; }
span.silver { color: silver; }
span.teal { color: teal; }
span.white { color: white; }
span.yellow { color: yellow; }

span.aqua-background { background: aqua; }
span.black-background { background: black; }
span.blue-background { background: blue; }
span.fuchsia-background { background: fuchsia; }
span.gray-background { background: gray; }
span.green-background { background: green; }
span.lime-background { background: lime; }
span.maroon-background { background: maroon; }
span.navy-background { background: navy; }
span.olive-background { background: olive; }
span.purple-background { background: purple; }
span.red-background { background: red; }
span.silver-background { background: silver; }
span.teal-background { background: teal; }
span.white-background { background: white; }
span.yellow-background { background: yellow; }

span.big { font-size: 2em; }
span.small { font-size: 0.6em; }

span.underline { text-decoration: underline; }
span.overline { text-decoration: overline; }
span.line-through { text-decoration: line-through; }

div.unbreakable { page-break-inside: avoid; }


/*
 * xhtml11 specific
 *
 * */

div.tableblock {
  margin-top: 1.0em;
  margin-bottom: 1.5em;
}
div.tableblock > table {
  border: 3px solid #527bbd;
}
thead, p.table.header {
  font-weight: bold;
  color: #527bbd;
}
p.table {
  margin-top: 0;
}
/* Because the table frame attribute is overriden by CSS in most browsers. */
div.tableblock > table[frame="void"] {
  border-style: none;
}
div.tableblock > table[frame="hsides"] {
  border-left-style: none;
  border-right-style: none;
}
div.tableblock > table[frame="vsides"] {
  border-top-style: none;
  border-bottom-style: none;
}


/*
 * html5 specific
 *
 * */

table.tableblock {
  margin-top: 1.0em;
  margin-bottom: 1.5em;
}
thead, p.tableblock.header {
  font-weight: bold;
  color: #527bbd;
}
p.tableblock {
  margin-top: 0;
}
table.tableblock {
  border-width: 3px;
  border-spacing: 0px;
  border-style: solid;
  border-color: #527bbd;
  border-collapse: collapse;
}
th.tableblock, td.tableblock {
  border-width: 1px;
  padding: 4px;
  border-style: solid;
  border-color: #527bbd;
}

table.tableblock.frame-topbot {
  border-left-style: hidden;
  border-right-style: hidden;
}
table.tableblock.frame-sides {
  border-top-style: hidden;
  border-bottom-style: hidden;
}
table.tableblock.frame-none {
  border-style: hidden;
}

th.tableblock.halign-left, td.tableblock.halign-left {
  text-align: left;
}
th.tableblock.halign-center, td.tableblock.halign-center {
  text-align: center;
}
th.tableblock.halign-right, td.tableblock.halign-right {
  text-align: right;
}

th.tableblock.valign-top, td.tableblock.valign-top {
  vertical-align: top;
}
th.tableblock.valign-middle, td.tableblock.valign-middle {
  vertical-align: middle;
}
th.tableblock.valign-bottom, td.tableblock.valign-bottom {
  vertical-align: bottom;
}


/*
 * manpage specific
 *
 * */

body.manpage h1 {
  padding-top: 0.5em;
  padding-bottom: 0.5em;
  border-top: 2px solid silver;
  border-bottom: 2px solid silver;
}
body.manpage h2 {
  border-style: none;
}
body.manpage div.sectionbody {
  margin-left: 3em;
}

@media print {
  body.manpage div#toc { display: none; }
}


@media screen {
  body {
    max-width: 50em; /* approximately 80 characters wide */
    margin-left: 16em;
  }

  #toc {
    position: fixed;
    top: 0;
    left: 0;
    bottom: 0;
    width: 13em;
    padding: 0.5em;
    padding-bottom: 1.5em;
    margin: 0;
    overflow: auto;
    border-right: 3px solid #f8f8f8;
    background-color: white;
  }

  #toc .toclevel1 {
    margin-top: 0.5em;
  }

  #toc .toclevel2 {
    margin-top: 0.25em;
    display: list-item;
    color: #aaaaaa;
  }

  #toctitle {
    margin-top: 0.5em;
  }
}
</style>
<script type="text/javascript">
/*<![CDATA[*/
var asciidoc = {  // Namespace.

/////////////////////////////////////////////////////////////////////
// Table Of Contents generator
/////////////////////////////////////////////////////////////////////

/* Author: Mihai Bazon, September 2002
 * http://students.infoiasi.ro/~mishoo
 *
 * Table Of Content generator
 * Version: 0.4
 *
 * Feel free to use this script under the terms of the GNU General Public
 * License, as long as you do not remove or alter this notice.
 */

 /* modified by Troy D. Hanson, September 2006. License: GPL */
 /* modified by Stuart Rackham, 2006, 2009. License: GPL */

// toclevels = 1..4.
toc: function (toclevels) {

  function getText(el) {
    var text = "";
    for (var i = el.firstChild; i != null; i = i.nextSibling) {
      if (i.nodeType == 3 /* Node.TEXT_NODE */) // IE doesn't speak constants.
        text += i.data;
      else if (i.firstChild != null)
        text += getText(i);
    }
    return text;
  }

  function TocEntry(el, text, toclevel) {
    this.element = el;
    this.text = text;
    this.toclevel = toclevel;
  }

  function tocEntries(el, toclevels) {
    var result = new Array;
    var re = new RegExp('[hH]([1-'+(toclevels+1)+'])');
    // Function that scans the DOM tree for header elements (the DOM2
    // nodeIterator API would be a better technique but not supported by all
    // browsers).
    var iterate = function (el) {
      for (var i = el.firstChild; i != null; i = i.nextSibling) {
        if (i.nodeType == 1 /* Node.ELEMENT_NODE */) {
          var mo = re.exec(i.tagName);
          if (mo && (i.getAttribute("class") || i.getAttribute("className")) != "float") {
            result[result.length] = new TocEntry(i, getText(i), mo[1]-1);
          }
          iterate(i);
        }
      }
    }
    iterate(el);
    return result;
  }

  var toc = document.getElementById("toc");
  if (!toc) {
    return;
  }

  // Delete existing TOC entries in case we're reloading the TOC.
  var tocEntriesToRemove = [];
  var i;
  for (i = 0; i < toc.childNodes.length; i++) {
    var entry = toc.childNodes[i];
    if (entry.nodeName.toLowerCase() == 'div'
     && entry.getAttribute("class")
     && entry.getAttribute("class").match(/^toclevel/))
      tocEntriesToRemove.push(entry);
  }
  for (i = 0; i < tocEntriesToRemove.length; i++) {
    toc.removeChild(tocEntriesToRemove[i]);
  }

  // Rebuild TOC entries.
  var entries = tocEntries(document.getElementById("content"), toclevels);
  for (var i = 0; i < entries.length; ++i) {
    var entry = entries[i];
    if (entry.element.id == "")
      entry.element.id = "_toc_" + i;
    var a = document.createElement("a");
    a.href = "#" + entry.element.id;
    a.appendChild(document.createTextNode(entry.text));
    var div = document.createElement("div");
    div.appendChild(a);
    div.className = "toclevel" + entry.toclevel;
    toc.appendChild(div);
  }
  if (entries.length == 0)
    toc.parentNode.removeChild(toc);
},


/////////////////////////////////////////////////////////////////////
// Footnotes generator
/////////////////////////////////////////////////////////////////////

/* Based on footnote generation code from:
 * http://www.brandspankingnew.net/archive/2005/07/format_footnote.html
 */

footnotes: function () {
  // Delete existing footnote entries in case we're reloading the footnodes.
  var i;
  var noteholder = document.getElementById("footnotes");
  if (!noteholder) {
    return;
  }
  var entriesToRemove = [];
  for (i = 0; i < noteholder.childNodes.length; i++) {
    var entry = noteholder.childNodes[i];
    if (entry.nodeName.toLowerCase() == 'div' && entry.getAttribute("class") == "footnote")
      entriesToRemove.push(entry);
  }
  for (i = 0; i < entriesToRemove.length; i++) {
    noteholder.removeChild(entriesToRemove[i]);
  }

  // Rebuild footnote entries.
  var cont = document.getElementById("content");
  var spans = cont.getElementsByTagName("span");
  var refs = {};
  var n = 0;
  for (i=0; i<spans.length; i++) {
    if (spans[i].className == "footnote") {
      n++;
      var note = spans[i].getAttribute("data-note");
      if (!note) {
        // Use [\s\S] in place of . so multi-line matches work.
        // Because JavaScript has no s (dotall) regex flag.
        note = spans[i].innerHTML.match(/\s*\[([\s\S]*)]\s*/)[1];
        spans[i].innerHTML =
          "[<a id='_footnoteref_" + n + "' href='#_footnote_" + n +
          "' title='View footnote' class='footnote'>" + n + "</a>]";
        spans[i].setAttribute("data-note", note);
      }
      noteholder.innerHTML +=
        "<div class='footnote' id='_footnote_" + n + "'>" +
        "<a href='#_footnoteref_" + n + "' title='Return to text'>" +
        n + "</a>. " + note + "</div>";
      var id =spans[i].getAttribute("id");
      if (id != null) refs["#"+id] = n;
    }
  }
  if (n == 0)
    noteholder.parentNode.removeChild(noteholder);
  else {
    // Process footnoterefs.
    for (i=0; i<spans.length; i++) {
      if (spans[i].className == "footnoteref") {
        var href = spans[i].getElementsByTagName("a")[0].getAttribute("href");
        href = href.match(/#.*/)[0];  // Because IE return full URL.
        n = refs[href];
        spans[i].innerHTML =
          "[<a href='#_footnote_" + n +
          "' title='View footnote' class='footnote'>" + n + "</a>]";
      }
    }
  }
},

install: function(toclevels) {
  var timerId;

  function reinstall() {
    asciidoc.footnotes();
    if (toclevels) {
      asciidoc.toc(toclevels);
    }
  }

  function reinstallAndRemoveTimer() {
    clearInterval(timerId);
    reinstall();
  }

  timerId = setInterval(reinstall, 500);
  if (document.addEventListener)
    document.addEventListener("DOMContentLoaded", reinstallAndRemoveTimer, false);
  else
    window.onload = reinstallAndRemoveTimer;
}

}
asciidoc.install(2);
/*]]>*/
</script>
</head>
<body class="article">
<div id="header">
<h1>Snort++ User Manual</h1>
<span id="author">The Snort Team</span><br />
</div>
<div id="content">
<div id="preamble">
<div class="sectionbody">
<div class="imageblock">
<div class="content">
<img src="./snorty.png" alt="Snorty" width="480" />
</div>
</div>
<div class="literalblock">
<div class="content">
<pre><code> ,,_     -*&gt; Snort++ &lt;*-
o"  )~   Version 3.0.0-a2 (Build 177) from 2.9.7-177
 ''''    By Martin Roesch &amp; The Snort Team
         http://snort.org/contact#team
         Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
         Copyright (C) 1998-2013 Sourcefire, Inc., et al.</code></pre>
</div></div>
<div id="toc">
  <div id="toctitle">Contents</div>
  <noscript><p><b>JavaScript must be enabled in your browser to display the table of contents.</b></p></noscript>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_overview">Overview</h2>
<div class="sectionbody">
<div class="paragraph"><p>Snort++ is an updated version of the Snort IPS (intrusion prevention
system).  This document assumes you have some familiarity with Snort and
are looking to see what Snort++ has to offer.  Here are some of the basic
goals for Snort++:</p></div>
<div class="ulist"><ul>
<li>
<p>
Support multiple packet processing threads
</p>
</li>
<li>
<p>
Use a shared configuration and attribute table
</p>
</li>
<li>
<p>
Use a simple, scriptable configuration
</p>
</li>
<li>
<p>
Make key components pluggable
</p>
</li>
<li>
<p>
Autogenerate reference documentation
</p>
</li>
<li>
<p>
Autodetect services for portless configuration
</p>
</li>
<li>
<p>
Support sticky buffers in rules
</p>
</li>
<li>
<p>
Provide better cross platform support
</p>
</li>
</ul></div>
<div class="paragraph"><p>The above goals are met with this first alpha release.  Additional,
longer-term goals are:</p></div>
<div class="ulist"><ul>
<li>
<p>
Use a shared network map
</p>
</li>
<li>
<p>
Support pipelining of packet processing
</p>
</li>
<li>
<p>
Support hardware offload and data plane integration
</p>
</li>
<li>
<p>
Rewrite critical modules like TCP reassembly and HTTP inspection
</p>
</li>
<li>
<p>
Support proxy mode
</p>
</li>
<li>
<p>
Facilitate component testing
</p>
</li>
<li>
<p>
Simplify memory management
</p>
</li>
<li>
<p>
Provide all of Snort&#8217;s functionality
</p>
</li>
</ul></div>
<div class="paragraph"><p>This first alpha release is based on Snort 2.9.6-9 and excludes all but one
of Snort&#8217;s dynamic preprocessors.  Work is underway to port that
functionality and additions will be rolled out as they become available.</p></div>
<div class="sect2">
<h3 id="_configuration">Configuration</h3>
<div class="paragraph"><p>Note that retaining backwards compatibility is not a goal.  While Snort++
leverages some of the Snort code base, a lot has changed.  The
configuration of Snort++ is done with Lua, so your old conf won&#8217;t work as
is.  Rules are still text based but nonetheless incompatible.  However,
Snort2Lua will help you convert your conf and rules to the new format.</p></div>
<div class="paragraph"><p>The original Snort manual may be useful for some background information not
yet documented for Snort++.  The configuration differences are given in
this manual.</p></div>
</div>
<div class="sect2">
<h3 id="_modules">Modules</h3>
<div class="paragraph"><p>Snort++ is organized into a collection of builtin and plugin modules.
If a module has parameters, it is configured by a Lua table of the same
name.  For example, we can see what the active module has to offer with
this command:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>$ snort --help-module active</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>What: configure responses</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>Type: basic</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>Configuration:</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>int active.attempts = 0: number of TCP packets sent per response (with
varying sequence numbers) { 0:20 }</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>string active.device: use 'ip' for network layer responses or 'eth0' etc
for link layer</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>string active.dst_mac: use format '01:23:45:67:89:ab'</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>int active.max_responses = 0: maximum number of responses { 0: }</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>int active.min_interval = 255: minimum number of seconds between
responses { 1: }</code></pre>
</div></div>
<div class="paragraph"><p>This says active is a basic module that has several parameters.  For each,
you will see:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>type module.name = default: help { range }</code></pre>
</div></div>
<div class="paragraph"><p>For example, the active module has a max_responses parameter that takes
non-negative integer values and defaults to zero.  We can change that in
Lua as follows:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>active = { max_responses = 1 }</code></pre>
</div></div>
<div class="paragraph"><p>or:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>active = { }
active.max_responses = 1</code></pre>
</div></div>
<div class="paragraph"><p>If we also wanted to limit retries to at least 5 seconds, we could do:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>active = { max_responses = 1, min_interval = 5 }</code></pre>
</div></div>
</div>
<div class="sect2">
<h3 id="_plugins_and_scripts">Plugins and Scripts</h3>
<div class="paragraph"><p>There are several plugin types:</p></div>
<div class="ulist"><ul>
<li>
<p>
Codec - to decode and encode packets
</p>
</li>
<li>
<p>
Inspector - like the prior preprocessors, for normalization, etc.
</p>
</li>
<li>
<p>
IpsOption - for detection in Snort++ IPS rules
</p>
</li>
<li>
<p>
IpsAction - for custom rule actions
</p>
</li>
<li>
<p>
Logger - for handling events
</p>
</li>
<li>
<p>
Mpse - for fast pattern matching
</p>
</li>
<li>
<p>
So - for dynamic rules
</p>
</li>
</ul></div>
<div class="paragraph"><p>Most plugins can be built statically or dynamically.  By default they are
all static.  There is no difference in functionality between static or
dynamic plugins but the dynamic build generates a slightly lighter weight
binary.  Either way you can add dynamic plugins with --plugin-path and
newer versions will replace older versions, even when built statically.</p></div>
<div class="paragraph"><p>The power of plugins is that they have a very focused purpose and can be
created with relative ease.  For example, you can extend the rule language
by writing your own IpsOption and it will plug in and function just like
existing options.  The extra directory has examples of each type of plugin.</p></div>
<div class="paragraph"><p>Some things just need to be tweaked or prototyped quickly.  In addition to
the Lua conf, which is a script that can contain functions to compute
settings, etc., you can also script Loggers and IpsOptions.</p></div>
</div>
<div class="sect2">
<h3 id="_new_http_inspector">New Http Inspector</h3>
<div class="paragraph"><p>One of the major undertakings for Snort 3.0 is developing a completely new
HTTP inspector. It is incomplete right now but you can examine the
work-in-progress. You can configure it by adding:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>new_http_inspect = {}</code></pre>
</div></div>
<div class="paragraph"><p>to your snort.lua configuration file. Or you can read it in the source code
under src/service_inspectors/nhttp_inspect.</p></div>
<div class="paragraph"><p>The classic HTTP preprocessor is still available in the alpha release as
http_inspect. It’s probably the better choice for now if you just want to
do some work and do not feel like experimenting. Be sure not to configure
    both old and new HTTP inspectors at the same time.</p></div>
<div class="paragraph"><p>So why a new HTTP inspector?</p></div>
<div class="paragraph"><p>For starters it is object-oriented. That’s good for us because we maintain
this software. But it should also be really nice for open-source
developers. You can make meaningful changes and additions to HTTP
processing without having to understand the whole thing. In fact much of
the new HTTP inspector’s knowledge of HTTP is centralized in a series of
tables where it can be easily reviewed and modified. Many significant
changes can be made just by updating these tables.</p></div>
<div class="paragraph"><p>New_http_inspect is the first inspector written specifically for the new
Snort 3.0 architecture. That provides access to one of the very best
features of Snort 3.0: purely PDU-based inspection. Classic http_inspect
processes HTTP messages, but even while doing so it is constantly aware of
IP packets and how they divide up the TCP data stream. The same HTTP
message might be processed differently depending on how the sender (bad
guy) divided it up into IP packets.</p></div>
<div class="paragraph"><p>New_http_inspect is free of this burden and can focus exclusively on HTTP.
That makes it much more simple, easier to test, and less prone to false
positives. It also greatly reduces the opportunity for adversaries to probe
the inspector for weak spots by adjusting packet boundaries to disguise bad
behavior.</p></div>
<div class="paragraph"><p>Dealing solely with HTTP messages also opens the door for developing major
new features. The new_http_inspect design supports true stateful
processing. Want to ask questions that involve both the client request and
the server response? Or different requests in the same session? These
things are possible.</p></div>
<div class="paragraph"><p>Another new feature on the horizon is HTTP/2 analysis. HTTP/2 derives from
Google’s SPDY project and is in the process of being standardized. Despite
the name, it is better to think of HTTP/2 not as a newer version of
HTTP/1.1, but rather a separate protocol layer that runs under HTTP/1.1 and
on top of TLS or TCP. It’s a perfect fit for the new Snort 3.0 architecture
because a new HTTP/2 inspector would naturally output HTTP/1.1 messages but
not any underlying packets. Exactly what the new_http_inspect wants to
input.</p></div>
<div class="paragraph"><p>New_http_inspect is taking a very different approach to HTTP header fields.
Classic http_inspect divides all the HTTP headers following the start line
into cookies and everything else. It normalizes the two pieces using a
generic process and puts them in buffers that one can write rules against.
There is some limited support for examining individual headers within the
inspector but it is very specific.</p></div>
<div class="paragraph"><p>The new concept is that every header should be normalized in an appropriate
and specific way and individually made available for the user to write
rules against it. If for example a header is supposed to be a date then
normalization means put that date in a standard format.</p></div>
</div>
<div class="sect2">
<h3 id="_binder_and_wizard">Binder and Wizard</h3>
<div class="paragraph"><p>One of the fundamental differences between Snort and Snort++ concerns configuration related to networks and ports.  Here is a brief review of Snort&#8217;s configuration for network and service related components:</p></div>
<div class="ulist"><ul>
<li>
<p>
Snort&#8217;s configuration has a default policy and optional policies selected by
  VLAN or network (with config binding).
</p>
</li>
<li>
<p>
Each policy contains a user defined set of preprocessor configurations.
</p>
</li>
<li>
<p>
Each preprocessor has a default configuration and some support non-default
  configurations selected by network.
</p>
</li>
<li>
<p>
Most preprocessors have port configurations.
</p>
</li>
<li>
<p>
The default policy may also contain a list of ports to ignore.
</p>
</li>
</ul></div>
<div class="paragraph"><p>In Snort++, the above configurations are done in a single module called the binder.  Here is an example:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>binder =
{
    -- allow all tcp port 22:
    -- (similar to snort 2.X config ignore_ports)
    { when = { proto = 'tcp', ports = '22' }, use = { action = 'allow' } },</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>-- select a config file by vlan
-- (similar to snort 2.X config binding by vlan)
{ when = { vlans = '1024' }, use = { file = 'vlan.lua' } },</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>-- use a non-default HTTP inspector for port 8080:
-- (similar to a snort 2.X targeted preprocessor config)
{ when = { nets = '192.168.0.0/16', proto = 'tcp', ports = '8080' },
  use = { name = 'alt_http', type = 'http_inspect' } },</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>-- use the default inspectors:
-- (similar to a snort 2.X default preprocessor config)
{ when = { proto = 'tcp' }, use = { type = 'stream_tcp' } },
{ when = { service = 'http' }, use = { type = 'http_inspect' } },</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>    -- figure out which inspector to run automatically:
    { use = { type = 'wizard' } }
}</code></pre>
</div></div>
<div class="paragraph"><p>Bindings are evaluated when a session starts and again if and when service is
identified on the session.  Essentially, the bindings are a list of when-use
rules evaluated from top to bottom.  The first matching network and service
configurations are applied.  binder.when can contain any combination of
criteria and binder.use can specify an action, config file, or inspector
configuration.</p></div>
<div class="paragraph"><p>Using the wizard enables port-independent configuration and the detection of
malware command and control channels.  If the wizard is bound to a session, it
peeks at the initial payload to determine the service.  For example, <em>GET</em>
would indicate HTTP and <em>HELO</em> would indicate SMTP.  Upon finding a match, the
service bindings are reevaluated so the session can be handed off to the
appropriate inspector.  The wizard is still under development; if you find you
need to tweak the defaults please let us know.</p></div>
<div class="paragraph"><p>Additional Details:</p></div>
<div class="ulist"><ul>
<li>
<p>
If the wizard and one or more service inspectors are configured w/o
  explicitly configuring the binder, default bindings will be generated which
  should work for most common cases.
</p>
</li>
<li>
<p>
Also note that while Snort 2.X bindings can only be configured in the
  default policy, each Snort 3.0 policy can contain a binder leading to an
  arbitrary hierarchy.
</p>
</li>
<li>
<p>
The entire configuration can be reloaded and hot-swapped during run-time
  via signal or command in both Snort 2.X and 3.0.  Ultimately, Snort 3.0
  will support commands to update the binder on the fly, thus enabling
  incremental reloads of individual inspectors.
</p>
</li>
<li>
<p>
Both Snort 2.X and 3.0 support server specific configurations via a hosts
  table (XML in Snort 2.X and Lua in Snort 3.0).  The table allows you to
  map network, protocol, and port to a service and policy.  This table can
  be reloaded and hot-swapped separately from the config file.
</p>
</li>
<li>
<p>
You can find the specifics on the binder, wizard, and hosts tables in the
  manual or command line like this:  snort --help-module binder, etc.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_packet_processing">Packet Processing</h3>
<div class="paragraph"><p>One of the goals of Snort++ is to provide a more flexible framework for
packet processing by implementing an event-driven approach.  Another is to
produce data only when needed, to minimize expensive normalizations.  To help
explain these concepts, let&#8217;s start by examining how Snort processes
packets.  The key steps are given in the following figure:</p></div>
<div class="imageblock">
<div class="content">
<img src="./snort2x.png" alt="Snort 2X" width="640" />
</div>
</div>
<div class="paragraph"><p>The preprocess step is highly configurable.  Arbitrary preprocessors can be
loaded dynamically at startup, configured in snort.conf, and then executed
at runtime.  Basically, the preprocessors are put into a list which is
iterated for each packet.  Recent versions have tweaked the list handling
some, but the same basic architecture has allowed Snort to grow from a
sniffer, with no preprocessing, to a full-fledged IPS, with lots of
preprocessing.</p></div>
<div class="paragraph"><p>While this "list of plugins" approach has considerable flexibility, it
hampers future development when the flow of data from one preprocessor to
the next depends on traffic conditions, a common situation with advanced
features like application identification.  In this case, a preprocessor
like HTTP may be extracting and normalizing data that ultimately is not
used, or app ID may be repeatedly checking for data that is just not
available.</p></div>
<div class="paragraph"><p>Callbacks help break out of the preprocess straightjacket.  This is where
one preprocessor supplies another with a function to call when certain data
is available.  Snort has started to take this approach to pass some HTTP and
SIP preprocessor data to app ID.  However, it remains a peripheral feature
and still requires the production of data that may not be consumed.</p></div>
<div class="paragraph"><p>The basic processing steps Snort++ takes are similar to Snort&#8217;s as seen in
the following diagram.  The preprocess step employs specific inspector
types instead of a generalized list, but the basic procedure includes
stateless packet decoding, TCP stream reassembly, and service specific
analysis in both cases.  (Snort++ provides hooks for arbitrary inspectors,
but they are not central to basic flow processing and are not shown.)</p></div>
<div class="imageblock">
<div class="content">
<img src="./snort3x.png" alt="Snort 3X" width="640" />
</div>
</div>
<div class="paragraph"><p>However, Snort++ also provides a more flexible mechanism than callback
functions.  By using inspection events, it is possible for an inspector to
supply data that other inspectors can process.  This is known as the
observer pattern or publish-subscribe pattern.</p></div>
<div class="paragraph"><p>Note that the data is not actually published.  Instead, access to the data
is published, and that means that subscribers can access the raw or
normalized version(s) as needed.  Normalizations are done only on the first
access, and subsequent accesses get the previously normalized data.  This
results in just in time (JIT) processing.</p></div>
<div class="paragraph"><p>A basic example of this in action is provided by the extra data_log plugin.
It is a passive inspector, ie it does nothing until it receives the data it
subscribed for (<em>other</em> in the above diagram).  By adding data_log = { key
= <em>http_raw_uri</em> } to your snort.lua configuration, you will get a simple
URI logger.</p></div>
<div class="paragraph"><p>Inspection events coupled with pluggable inspectors provide a very flexible
framework for implementing new features.  And JIT buffer stuffers allow
Snort++ to work smarter, not harder.  These capabilities will be leveraged
more and more as Snort++ development continues.</p></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_getting_started">Getting Started</h2>
<div class="sectionbody">
<div class="paragraph"><p>The following pointers will help you get started:</p></div>
<div class="sect2">
<h3 id="_dependencies">Dependencies</h3>
<div class="paragraph"><p>Required:</p></div>
<div class="ulist"><ul>
<li>
<p>
autotools or cmake to build from source
</p>
</li>
<li>
<p>
g++ &gt;= 4.8 or other recent C++11 compiler
</p>
</li>
<li>
<p>
daq from <a href="http://www.snort.org">http://www.snort.org</a> for packet IO
</p>
</li>
<li>
<p>
dnet from <a href="https://github.com/dugsong/libdnet.git">https://github.com/dugsong/libdnet.git</a> for network utility
  functions
</p>
</li>
<li>
<p>
LuaJIT from <a href="http://luajit.org">http://luajit.org</a> for configuration and scripting
</p>
</li>
<li>
<p>
pcap from <a href="http://www.tcpdump.org">http://www.tcpdump.org</a> for tcpdump style logging
</p>
</li>
<li>
<p>
pcre from <a href="http://www.pcre.org">http://www.pcre.org</a> for regular expression pattern matching
</p>
</li>
<li>
<p>
zlib from <a href="http://www.zlib.net">http://www.zlib.net</a> for decompression (&gt;= 1.2.8 recommended)
</p>
</li>
<li>
<p>
pkgconfig from <a href="http://www.freedesktop.org">http://www.freedesktop.org</a> to build the example plugins
</p>
</li>
</ul></div>
<div class="paragraph"><p>Optional:</p></div>
<div class="ulist"><ul>
<li>
<p>
lzma &gt;= 5.1.2 from <a href="http://tukaani.org/xz/">http://tukaani.org/xz/</a> for decompression of SWF fles
</p>
</li>
<li>
<p>
openssl from <a href="https://www.openssl.org">https://www.openssl.org</a> for SHA and MD5 file signatures and
  the protected_content rule option
</p>
</li>
<li>
<p>
hyperscan from <a href="https://github.com/01org/hyperscan">https://github.com/01org/hyperscan</a> to build new and improved
  regex and (coming soon) fast pattern support
</p>
</li>
<li>
<p>
cpputest from <a href="http://cpputest.github.io">http://cpputest.github.io</a> to run additional unit tests with
  make check
</p>
</li>
<li>
<p>
asciidoc from <a href="http://www.methods.co.nz/asciidoc/">http://www.methods.co.nz/asciidoc/</a> to build the HTML
  manual
</p>
</li>
<li>
<p>
dblatex from <a href="http://dblatex.sourceforge.net">http://dblatex.sourceforge.net</a> to build the pdf manual (in
  addition to asciidoc)
</p>
</li>
<li>
<p>
w3m from <a href="http://sourceforge.net/projects/w3m/">http://sourceforge.net/projects/w3m/</a> to build the plain text
  manual
</p>
</li>
<li>
<p>
source-highlight from <a href="http://www.gnu.org/software/src-highlite/">http://www.gnu.org/software/src-highlite/</a> to
  generate the dev guide
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_building">Building</h3>
<div class="ulist"><ul>
<li>
<p>
Optionally built features are listed in the reference section.
</p>
</li>
<li>
<p>
Create an install path:
</p>
<div class="literalblock">
<div class="content">
<pre><code>export my_path=/path/to/snorty
mkdir -p $my_path</code></pre>
</div></div>
</li>
<li>
<p>
If you are using a github clone with autotools, do this:
</p>
<div class="literalblock">
<div class="content">
<pre><code>autoreconf -isvf</code></pre>
</div></div>
</li>
<li>
<p>
Now do one of the following:
</p>
<div class="olist loweralpha"><ol class="loweralpha">
<li>
<p>
To build with autotools, simply do the usual from the top level directory:
</p>
<div class="literalblock">
<div class="content">
<pre><code>./configure --prefix=$my_path
make -j 8
make install</code></pre>
</div></div>
</li>
<li>
<p>
To build with cmake and make, run configure_cmake.sh.  It will
   automatically create and populate a new subdirectory named <em>build</em>.
</p>
<div class="literalblock">
<div class="content">
<pre><code>./configure_cmake.sh --prefix=$my_path
cd build
make -j 8
make install
ln -s $my_path/conf $my_path/etc</code></pre>
</div></div>
</li>
<li>
<p>
You can also specify a cmake project generator:
</p>
<div class="literalblock">
<div class="content">
<pre><code>./configure_cmake.sh --generator=Xcode --prefix=$my_path</code></pre>
</div></div>
</li>
<li>
<p>
Or use ccmake directly to configure and generate from an arbitrary build
   directory like one of these:
</p>
<div class="literalblock">
<div class="content">
<pre><code>ccmake -G Xcode /path/to/Snort++/tree
open snort.xcodeproj</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>ccmake -G "Eclipse CDT4 - Unix Makefiles" /path/to/Snort++/tree
run eclipse and do File &gt; Import &gt; Existing Eclipse Project</code></pre>
</div></div>
</li>
</ol></div>
</li>
<li>
<p>
To build with g++ on OS X where clang is installed, do this first:
</p>
<div class="literalblock">
<div class="content">
<pre><code>export CXX=g++</code></pre>
</div></div>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_run">Run</h3>
<div class="paragraph"><p>First set up the environment:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>export LUA_PATH=$my_path/include/snort/lua/\?.lua\;\;
export SNORT_LUA_PATH=$my_path/etc/snort/</code></pre>
</div></div>
<div class="paragraph"><p>Then give it a go:</p></div>
<div class="ulist"><ul>
<li>
<p>
Get some help:
</p>
<div class="literalblock">
<div class="content">
<pre><code>$my_path/bin/snort --help
$my_path/bin/snort --help-module suppress
$my_path/bin/snort --help-config | grep thread</code></pre>
</div></div>
</li>
<li>
<p>
Examine and dump a pcap:
</p>
<div class="literalblock">
<div class="content">
<pre><code>$my_path/bin/snort -r &lt;pcap&gt;
$my_path/bin/snort -K text -d -e -q -r &lt;pcap&gt;</code></pre>
</div></div>
</li>
<li>
<p>
Verify config, with or w/o rules:
</p>
<div class="literalblock">
<div class="content">
<pre><code>$my_path/bin/snort -c $my_path/etc/snort/snort.lua
$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules</code></pre>
</div></div>
</li>
<li>
<p>
Run IDS mode.  To keep it brief, look at the first n packets in each file:
</p>
<div class="literalblock">
<div class="content">
<pre><code>$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
    -r &lt;pcap&gt; -A alert_test -n 100000</code></pre>
</div></div>
</li>
<li>
<p>
Let&#8217;s suppress 1:2123.  We could edit the conf or just do this:
</p>
<div class="literalblock">
<div class="content">
<pre><code>$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
    -r &lt;pcap&gt; -A alert_test -n 100000 --lua "suppress = { { gid = 1, sid = 2123 } }"</code></pre>
</div></div>
</li>
<li>
<p>
Go whole hog on a directory with multiple packet threads:
</p>
<div class="literalblock">
<div class="content">
<pre><code>$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
    --pcap-filter \*.pcap --pcap-dir &lt;dir&gt; -A alert_fast -n 1000 --max-packet-threads 8</code></pre>
</div></div>
</li>
</ul></div>
<div class="paragraph"><p>For more examples, see the usage section.</p></div>
</div>
<div class="sect2">
<h3 id="_tips">Tips</h3>
<div class="paragraph"><p>One of the goals of Snort++ is to make it easier to configure your sensor.
Here is a summary of tips and tricks you may find useful.</p></div>
<div class="paragraph"><p>General Use</p></div>
<div class="ulist"><ul>
<li>
<p>
Snort tries hard not to error out too quickly.  It will report multiple
  semantic errors.
</p>
</li>
<li>
<p>
Snort always assumes the simplest mode of operation.  Eg, you can omit the -T
  option to validate the conf if you don&#8217;t provide a packet source.
</p>
</li>
<li>
<p>
Warnings are not emitted unless --warn-* is specified.  --warn-all enables all
  warnings, and --pedantic makes such warnings fatal.
</p>
</li>
<li>
<p>
You can process multiple sources at one time by using the -z or --max-threads
  option.
</p>
</li>
<li>
<p>
To make it easy to find the important data, zero counts are not output at
  shutdown.
</p>
</li>
<li>
<p>
Load plugins from the command line with --plugin-path /path/to/install/lib.
</p>
</li>
<li>
<p>
You can process multiple sources at one time by using the -z or
  --max-threads option.
</p>
</li>
<li>
<p>
Unit tests are configured with --enable-unit-tests.  They can then be run
  with snort --catch-test [tags]|all.
</p>
</li>
</ul></div>
<div class="paragraph"><p>Lua Configuration</p></div>
<div class="ulist"><ul>
<li>
<p>
Configure the wizard and default bindings will be created based on configured
  inspectors.  No need to explicitly bind ports in this case.
</p>
</li>
<li>
<p>
You can override or add to your Lua conf with the --lua command line option.
</p>
</li>
<li>
<p>
The Lua conf is a live script that is executed when loaded.  You can add
  functions, grab environment variables, compute values, etc.
</p>
</li>
<li>
<p>
You can also rename symbols that you want to disable.  For example,
  changing normalizer to  Xnormalizer (an unknown symbol) will disable the
  normalizer.  This can be easier than commenting in some cases.
</p>
</li>
<li>
<p>
By default, symbols unknown to Snort++ are silently ignored.  You can
  generate warnings for them  with --warn-unknown.  To ignore such symbols,
  export them in the environment variable SNORT_IGNORE.
</p>
</li>
</ul></div>
<div class="paragraph"><p>Writing and Loading Rules</p></div>
<div class="paragraph"><p>Snort++ rules allow arbitrary whitespace.  Multi-line rules make it easier to
structure your rule  for clarity.  There are multiple ways to add comments to
your rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
Like Snort, the # character starts a comment to end of line.  In addition, all
  lines between #begin and #end are comments.
</p>
</li>
<li>
<p>
The rem option allows you to write a comment that is conveyed with the rule.
</p>
</li>
<li>
<p>
C style multi-line comments are allowed, which means you can comment out
  portions of a rule while  testing it out by putting the options between /* and
  */.
</p>
</li>
</ul></div>
<div class="paragraph"><p>There are multiple ways to load rules too:</p></div>
<div class="ulist"><ul>
<li>
<p>
Set ips.rules or ips.include.
</p>
</li>
<li>
<p>
Snort 2.X include statements can be used in rules files.
</p>
</li>
<li>
<p>
Use -R to load a rules file.
</p>
</li>
<li>
<p>
Use --stdin-rules with command line redirection.
</p>
</li>
<li>
<p>
Use --lua to specify one or more rules as a command line argument.
</p>
</li>
</ul></div>
<div class="paragraph"><p>Output Files</p></div>
<div class="paragraph"><p>To make it simple to configure outputs when you run with multiple packet
threads, output files are not explicitly configured.  Instead, you can use the
options below to format the paths:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>&lt;logdir&gt;/[&lt;run_prefix&gt;][&lt;id#&gt;][&lt;X&gt;]&lt;name&gt;</code></pre>
</div></div>
<div class="ulist"><ul>
<li>
<p>
logdir is set with -l and defaults to ./
</p>
</li>
<li>
<p>
run_prefix is set with --run-prefix else not used
</p>
</li>
<li>
<p>
id# is the packet thread number that writes the file; with one packet thread,
  id# (zero) is omitted without --id-zero
</p>
</li>
<li>
<p>
X is / if you use --id-subdir, else _ if id# is used
</p>
</li>
<li>
<p>
name is based on module name that writes the file
</p>
</li>
<li>
<p>
all text mode outputs default to stdout
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_help">Help</h3>
<div class="listingblock">
<div class="content">
<pre><code>Snort has several options to get more help:

-? list command line options (same as --help)
--help this overview of help
--help-commands [&lt;module prefix&gt;] output matching commands
--help-config [&lt;module prefix&gt;] output matching config options
--help-counts [&lt;module prefix&gt;] output matching peg counts
--help-module &lt;module&gt; output description of given module
--help-modules list all available modules with brief help
--help-plugins list all available plugins with brief help
--help-options [&lt;option prefix&gt;] output matching command line options
--help-signals dump available control signals
--list-buffers output available inspection buffers
--list-builtin [&lt;module prefix&gt;] output matching builtin rules
--list-gids [&lt;module prefix&gt;] output matching generators
--list-modules [&lt;module type&gt;] list all known modules
--list-plugins list all known modules
--show-plugins list module and plugin versions

--help* and --list* options preempt other processing so should be last on the
command line since any following options are ignored.  To ensure options like
--markup and --plugin-path take effect, place them ahead of the help or list
options.

Options that filter output based on a matching prefix, such as --help-config
won't output anything if there is no match.  If no prefix is given, everything
matches.

Report bugs to bugs@snort.org.</code></pre>
</div></div>
</div>
<div class="sect2">
<h3 id="_common_errors">Common Errors</h3>
<div class="paragraph"><p><em>FATAL: snort_config is required</em></p></div>
<div class="ulist"><ul>
<li>
<p>
add this line near top of file:
</p>
<div class="literalblock">
<div class="content">
<pre><code>require('snort_config')</code></pre>
</div></div>
</li>
</ul></div>
<div class="paragraph"><p><em>PANIC: unprotected error in call to Lua API (cannot open
snort_defaults.lua: No such file or directory)</em></p></div>
<div class="ulist"><ul>
<li>
<p>
export SNORT_LUA_PATH to point to any dofiles
</p>
</li>
</ul></div>
<div class="paragraph"><p><em>ERROR can&#8217;t find xyz</em></p></div>
<div class="ulist"><ul>
<li>
<p>
if xyz is the name of a module, make sure you are not assigning a scalar
  where a table is required (e.g. xyz = 2 should be xyz = { }).
</p>
</li>
</ul></div>
<div class="paragraph"><p><em>ERROR can&#8217;t find x.y</em></p></div>
<div class="ulist"><ul>
<li>
<p>
module x does not have a parameter named y.  check --help-module x for
  available parameters.
</p>
</li>
</ul></div>
<div class="paragraph"><p><em>ERROR invalid x.y = z</em></p></div>
<div class="ulist"><ul>
<li>
<p>
the value z is out of range for x.y.  check --help-config x.y for the range
  allowed.
</p>
</li>
</ul></div>
<div class="paragraph"><p><em>ERROR: x = { y = z } is in conf but is not being applied</em></p></div>
<div class="ulist"><ul>
<li>
<p>
make sure that x = { } isn&#8217;t set later because it will override the
  earlier setting.  same for x.y.
</p>
</li>
</ul></div>
<div class="paragraph"><p><em>FATAL: can&#8217;t load lua/errors.lua: lua/errors.lua:68: <em>=</em> expected near
';'</em></p></div>
<div class="ulist"><ul>
<li>
<p>
this is a syntax error reported by Lua to Snort on line 68 of errors.lua.
</p>
</li>
</ul></div>
<div class="paragraph"><p><em>ERROR: rules(2) unknown rule keyword: find.</em></p></div>
<div class="ulist"><ul>
<li>
<p>
this was due to not including the --script-path.
</p>
</li>
</ul></div>
<div class="paragraph"><p><em>WARNING: unknown symbol x</em></p></div>
<div class="ulist"><ul>
<li>
<p>
if you any variables, you can squelch such warnings by setting them in
  an environment variable SNORT_IGNORE.  to ignore x, y, and z:
</p>
<div class="literalblock">
<div class="content">
<pre><code>export SNORT_IGNORE="x y z"</code></pre>
</div></div>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_gotchas">Gotchas</h3>
<div class="ulist"><ul>
<li>
<p>
A nil key in a table will not caught.  Neither will a nil value in a
  table.  Neither of the following will cause errors, nor will they
  actually set http_server.post_depth:
</p>
<div class="literalblock">
<div class="content">
<pre><code>http_server = { post_depth }
http_server = { post_depth = undefined_symbol }</code></pre>
</div></div>
</li>
<li>
<p>
It is not an error to set a value multiple times.  The actual value
  applied may not be the last in the table either.  It is best to avoid
  such cases.
</p>
<div class="literalblock">
<div class="content">
<pre><code>http_server =
{
    post_depth = 1234,
    post_depth = 4321
}</code></pre>
</div></div>
</li>
<li>
<p>
Snort can&#8217;t tell you the exact filename or line number of a semantic
  error but it will tell you the fully qualified name.
</p>
</li>
<li>
<p>
The dump DAQ will not work with multiple threads unless you use --daq-var
  file=/dev/null.  This will be fixed in at some point to use the Snort log
  directory, etc.
</p>
</li>
<li>
<p>
Variables are currently processed in an order determined by the Lua hash
  table which is effectively random.  That means you will need to use Lua
  string concatenation to ensure Snort doesn&#8217;t try to use a variable before
  it is defined (even when it is defined ahead of use in the file):
</p>
<div class="literalblock">
<div class="content">
<pre><code>-- this may fail:
MY_SERVERS = [[ 172.20.0.0/16 172.21.0.0/16 ]]
EXTERNAL_NET = '!$MY_SERVERS'</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>-- this will work:
MY_SERVERS = [[ 172.20.0.0/16 172.21.0.0/16 ]]
EXTERNAL_NET = '!' .. MY_SERVERS</code></pre>
</div></div>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_bugs">Bugs</h3>
<div class="sect3">
<h4 id="_build">Build</h4>
<div class="ulist"><ul>
<li>
<p>
configure will use clang<code> by default if it is installed.
  To compile with g</code> instead:
</p>
<div class="literalblock">
<div class="content">
<pre><code>export CXX=g++</code></pre>
</div></div>
</li>
<li>
<p>
clang coughs up these warnings:
</p>
<div class="literalblock">
<div class="content">
<pre><code>Wunused-but-set-variable is not understood by clang
clang: warning: argument unused during compilation: '-pthread'</code></pre>
</div></div>
</li>
<li>
<p>
With cmake, make install will rebuild the docs even though when already
  built.
</p>
</li>
<li>
<p>
Enabling large pcap may erroneously affect the number of packets processed
  from pcaps
</p>
</li>
<li>
<p>
Enabling debug messages may erroneously affect the number of packets
  processed from pcaps
</p>
</li>
<li>
<p>
It is not possible to build unit tests w/o static plugins.
</p>
</li>
</ul></div>
</div>
<div class="sect3">
<h4 id="_config">Config</h4>
<div class="ulist"><ul>
<li>
<p>
Parsing issue with IP lists.  can&#8217;t parse rules with $EXTERNAL_NET
  defined as below because or the space between ! and 10.
</p>
<div class="literalblock">
<div class="content">
<pre><code>HOME_NET = [[ 10.0.17.0/24 10.0.14.0/24 10.247.0.0/16 10.246.0.0/16 ]]
EXTERNAL_NET = '! ' .. HOME_NET</code></pre>
</div></div>
</li>
<li>
<p>
Multiple versions of luajit scripts are not handled correctly.  The
  first loaded version will always be executed even though plugin manager
  saves the correct version.
</p>
</li>
<li>
<p>
When using -c and -L together, the last on the command line wins (-c -L
  will dump; -L -c will analyze).
</p>
</li>
<li>
<p>
Modules instantiated by command line only will not get default settings
  unless hard-coded.  This notably applies to -A and -L options.
</p>
</li>
<li>
<p>
--lua can only be used in addition to, not in place of, a -c config.
  Ideally, --lua could be used in lieu of -c.
</p>
</li>
</ul></div>
</div>
<div class="sect3">
<h4 id="_rules">Rules</h4>
<div class="ulist"><ul>
<li>
<p>
metdata:service foo; metadata:service foo; won&#8217;t cause a duplicate service
  warning as does metadata:service foo, service foo;
</p>
</li>
<li>
<p>
ip_proto doesn&#8217;t work properly with reassembled packets so it can&#8217;t be
  used to restrict the protocol of service rules.
</p>
</li>
<li>
<p>
Inspector events generated while parsing TCP payload in non-IPS mode will
  indicate the wrong direction (ie they will be based on the ACK packet).
  (Same is true for Snort.)
</p>
</li>
</ul></div>
</div>
<div class="sect3">
<h4 id="_snort2lua">snort2lua</h4>
<div class="ulist"><ul>
<li>
<p>
uricontent:"foo"; content:"bar"; &#8594; http_uri; content:"foo"; content:"bar";
  (missing pkt_data)
</p>
</li>
<li>
<p>
stream_tcp ports and protocols both go into a single binder.when; this is
  incorrect as the when fields are logically anded together (ie must all be
  true). Should create 2 separate bindings.
</p>
</li>
<li>
<p>
There is a bug in pps_stream_tcp.cc.. when stream_tcp: is
  specified without any arguments, snort2lua doesn&#8217;t convert it.
</p>
</li>
<li>
<p>
Loses the ip list delimiters [ ]; change to ( )
</p>
<div class="literalblock">
<div class="content">
<pre><code>in snort.conf: var HOME_NET [A,B,C]
in snort.lua: HOME_NET = [[A B C]]</code></pre>
</div></div>
</li>
<li>
<p>
Won&#8217;t convert packet rules (alert tcp etc.) to service rules (alert http
  etc.).
</p>
</li>
<li>
<p>
alert_fast and alert_full: output configuration includes "file = <em>foo.bar</em>", but file is a bool
  and you cannot specify an output file name in the configuration.
</p>
</li>
</ul></div>
</div>
<div class="sect3">
<h4 id="_runtime">Runtime</h4>
<div class="ulist"><ul>
<li>
<p>
-B &lt;mask&gt; feature does not work. It does ordinary IP address obfuscation instead of using the
  mask.
</p>
</li>
<li>
<p>
Obfuscation does not work for csv format.
</p>
</li>
<li>
<p>
The hext DAQ will append a newline to text lines (starting with <em>"</em>).
</p>
</li>
<li>
<p>
The hext DAQ does not support embedded quotes in text lines (use hex
  lines as a workaround).
</p>
</li>
</ul></div>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_basic_modules">Basic Modules</h2>
<div class="sectionbody">
<div class="paragraph"><p>Internal modules which are not plugins are termed "basic".  These include
configuration for core processing.</p></div>
<div class="sect2">
<h3 id="_active">active</h3>
<div class="paragraph"><p>What: configure responses</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>active.attempts</strong> = 0: number of TCP packets sent per response (with varying sequence numbers) { 0:20 }
</p>
</li>
<li>
<p>
string <strong>active.device</strong>: use <em>ip</em> for network layer responses or <em>eth0</em> etc for link layer
</p>
</li>
<li>
<p>
string <strong>active.dst_mac</strong>: use format <em>01:23:45:67:89:ab</em>
</p>
</li>
<li>
<p>
int <strong>active.max_responses</strong> = 0: maximum number of responses { 0: }
</p>
</li>
<li>
<p>
int <strong>active.min_interval</strong> = 255: minimum number of seconds between responses { 1: }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_alerts">alerts</h3>
<div class="paragraph"><p>What: configure alerts</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>alerts.alert_with_interface_name</strong> = false: include interface in alert info (fast, full, or syslog only)
</p>
</li>
<li>
<p>
bool <strong>alerts.default_rule_state</strong> = true: enable or disable ips rules
</p>
</li>
<li>
<p>
int <strong>alerts.detection_filter_memcap</strong> = 1048576: set available memory for filters { 0: }
</p>
</li>
<li>
<p>
int <strong>alerts.event_filter_memcap</strong> = 1048576: set available memory for filters { 0: }
</p>
</li>
<li>
<p>
string <strong>alerts.order</strong> = pass drop alert log: change the order of rule action application
</p>
</li>
<li>
<p>
int <strong>alerts.rate_filter_memcap</strong> = 1048576: set available memory for filters { 0: }
</p>
</li>
<li>
<p>
string <strong>alerts.reference_net</strong>: set the CIDR for homenet (for use with -l or -B, does NOT change $HOME_NET in IDS mode)
</p>
</li>
<li>
<p>
bool <strong>alerts.stateful</strong> = false: don&#8217;t alert w/o established session (note: rule action still taken)
</p>
</li>
<li>
<p>
string <strong>alerts.tunnel_verdicts</strong>: let DAQ handle non-allow verdicts for GTP|Teredo|6in4|4in6 traffic
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_attribute_table">attribute_table</h3>
<div class="paragraph"><p>What: configure hosts loading</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>attribute_table.max_hosts</strong> = 1024: maximum number of hosts in attribute table { 32:207551 }
</p>
</li>
<li>
<p>
int <strong>attribute_table.max_services_per_host</strong> = 8: maximum number of services per host entry in attribute table { 1:65535 }
</p>
</li>
<li>
<p>
int <strong>attribute_table.max_metadata_services</strong> = 8: maximum number of services in rule metadata { 1:256 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_classifications">classifications</h3>
<div class="paragraph"><p>What: define rule categories with priority</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>classifications[].name</strong>: name used with classtype rule option
</p>
</li>
<li>
<p>
int <strong>classifications[].priority</strong> = 1: default priority for class { 0: }
</p>
</li>
<li>
<p>
string <strong>classifications[].text</strong>: description of class
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_daq">daq</h3>
<div class="paragraph"><p>What: configure packet acquisition interface</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>daq.dir</strong>: directory where to search for DAQ plugins
</p>
</li>
<li>
<p>
select <strong>daq.mode</strong>: set mode of operation { passive | inline | read-file }
</p>
</li>
<li>
<p>
bool <strong>daq.no_promisc</strong> = false: whether to put DAQ device into promiscuous mode
</p>
</li>
<li>
<p>
string <strong>daq.type</strong>: select type of DAQ
</p>
</li>
<li>
<p>
string <strong>daq.vars</strong>: comma separated list of name=value DAQ-specific parameters
</p>
</li>
<li>
<p>
int <strong>daq.snaplen</strong> = deflt: set snap length (same as -P) { 0:65535 }
</p>
</li>
<li>
<p>
bool <strong>daq.decode_data_link</strong> = false: display the second layer header info
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>daq.pcaps</strong>: total files and interfaces processed
</p>
</li>
<li>
<p>
<strong>daq.received</strong>: total packets received from DAQ
</p>
</li>
<li>
<p>
<strong>daq.analyzed</strong>: total packets analyzed from DAQ
</p>
</li>
<li>
<p>
<strong>daq.dropped</strong>: packets dropped
</p>
</li>
<li>
<p>
<strong>daq.filtered</strong>: packets filtered out
</p>
</li>
<li>
<p>
<strong>daq.outstanding</strong>: packets unprocessed
</p>
</li>
<li>
<p>
<strong>daq.injected</strong>: active responses or replacements
</p>
</li>
<li>
<p>
<strong>daq.allow</strong>: total allow verdicts
</p>
</li>
<li>
<p>
<strong>daq.block</strong>: total block verdicts
</p>
</li>
<li>
<p>
<strong>daq.replace</strong>: total replace verdicts
</p>
</li>
<li>
<p>
<strong>daq.whitelist</strong>: total whitelist verdicts
</p>
</li>
<li>
<p>
<strong>daq.blacklist</strong>: total blacklist verdicts
</p>
</li>
<li>
<p>
<strong>daq.ignore</strong>: total ignore verdicts
</p>
</li>
<li>
<p>
<strong>daq.internal blacklist</strong>: packets blacklisted internally due to lack of DAQ support
</p>
</li>
<li>
<p>
<strong>daq.internal whitelist</strong>: packets whitelisted internally due to lack of DAQ support
</p>
</li>
<li>
<p>
<strong>daq.skipped</strong>: packets skipped at startup
</p>
</li>
<li>
<p>
<strong>daq.fail open</strong>: packets passed during initialization
</p>
</li>
<li>
<p>
<strong>daq.idle</strong>: attempts to acquire from DAQ without available packets
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_decode">decode</h3>
<div class="paragraph"><p>What: general decoder rules</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:450</strong> (decode) BAD-TRAFFIC bad IP protocol
</p>
</li>
<li>
<p>
<strong>116:293</strong> (decode) two or more IP (v4 and/or v6) encapsulation layers present
</p>
</li>
<li>
<p>
<strong>116:459</strong> (decode) fragment with zero length
</p>
</li>
<li>
<p>
<strong>116:150</strong> (decode) bad traffic loopback IP
</p>
</li>
<li>
<p>
<strong>116:151</strong> (decode) bad traffic same src/dst IP
</p>
</li>
<li>
<p>
<strong>116:449</strong> (decode) BAD-TRAFFIC unassigned/reserved IP protocol
</p>
</li>
<li>
<p>
<strong>116:468</strong> (decode) too many protocols present
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_detection">detection</h3>
<div class="paragraph"><p>What: configure general IPS rule processing parameters</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>detection.asn1</strong> = 256: maximum decode nodes { 1: }
</p>
</li>
<li>
<p>
bool <strong>detection.pcre_enable</strong> = true: disable pcre pattern matching
</p>
</li>
<li>
<p>
int <strong>detection.pcre_match_limit</strong> = 1500: limit pcre backtracking, -1 = max, 0 = off { -1:1000000 }
</p>
</li>
<li>
<p>
int <strong>detection.pcre_match_limit_recursion</strong> = 1500: limit pcre stack consumption, -1 = max, 0 = off { -1:10000 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>detection.analyzed</strong>: packets sent to detection
</p>
</li>
<li>
<p>
<strong>detection.slow searches</strong>: non-fast pattern rule evaluations
</p>
</li>
<li>
<p>
<strong>detection.raw searches</strong>: fast pattern searches in raw packet data
</p>
</li>
<li>
<p>
<strong>detection.cooked searches</strong>: fast pattern searches in cooked packet data
</p>
</li>
<li>
<p>
<strong>detection.pkt searches</strong>: fast pattern searches in packet data
</p>
</li>
<li>
<p>
<strong>detection.alt searches</strong>: alt fast pattern searches in packet data
</p>
</li>
<li>
<p>
<strong>detection.key searches</strong>: fast pattern searches in key buffer
</p>
</li>
<li>
<p>
<strong>detection.header searches</strong>: fast pattern searches in header buffer
</p>
</li>
<li>
<p>
<strong>detection.body searches</strong>: fast pattern searches in body buffer
</p>
</li>
<li>
<p>
<strong>detection.file searches</strong>: fast pattern searches in file buffer
</p>
</li>
<li>
<p>
<strong>detection.alerts</strong>: alerts not including IP reputation
</p>
</li>
<li>
<p>
<strong>detection.total alerts</strong>: alerts including IP reputation
</p>
</li>
<li>
<p>
<strong>detection.logged</strong>: logged packets
</p>
</li>
<li>
<p>
<strong>detection.passed</strong>: passed packets
</p>
</li>
<li>
<p>
<strong>detection.match limit</strong>: fast pattern matches not processed
</p>
</li>
<li>
<p>
<strong>detection.queue limit</strong>: events not queued because queue full
</p>
</li>
<li>
<p>
<strong>detection.log limit</strong>: events queued but not logged
</p>
</li>
<li>
<p>
<strong>detection.event limit</strong>: events filtered
</p>
</li>
<li>
<p>
<strong>detection.alert limit</strong>: events previously triggered on same PDU
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_event_filter">event_filter</h3>
<div class="paragraph"><p>What: configure thresholding of events</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>event_filter[].gid</strong> = 1: rule generator ID { 0: }
</p>
</li>
<li>
<p>
int <strong>event_filter[].sid</strong> = 1: rule signature ID { 0: }
</p>
</li>
<li>
<p>
enum <strong>event_filter[].type</strong>: 1st count events | every count events | once after count events { limit | threshold | both }
</p>
</li>
<li>
<p>
enum <strong>event_filter[].track</strong>: filter only matching source or destination addresses { by_src | by_dst }
</p>
</li>
<li>
<p>
int <strong>event_filter[].count</strong> = 0: number of events in interval before tripping; -1 to disable { -1: }
</p>
</li>
<li>
<p>
int <strong>event_filter[].seconds</strong> = 0: count interval { 0: }
</p>
</li>
<li>
<p>
string <strong>event_filter[].ip</strong>: restrict filter to these addresses according to track
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_event_queue">event_queue</h3>
<div class="paragraph"><p>What: configure event queue parameters</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>event_queue.max_queue</strong> = 8: maximum events to queue { 1: }
</p>
</li>
<li>
<p>
int <strong>event_queue.log</strong> = 3: maximum events to log { 1: }
</p>
</li>
<li>
<p>
enum <strong>event_queue.order_events</strong> = content_length: criteria for ordering incoming events { priority|content_length }
</p>
</li>
<li>
<p>
bool <strong>event_queue.process_all_events</strong> = false: process just first action group or all action groups
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_file_id">file_id</h3>
<div class="paragraph"><p>What: configure file identification</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>file_id.type_depth</strong> = 1460: stop type ID at this point { 0: }
</p>
</li>
<li>
<p>
int <strong>file_id.signature_depth</strong> = 10485760: stop signature at this point { 0: }
</p>
</li>
<li>
<p>
int <strong>file_id.block_timeout</strong> = 86400: stop blocking after this many seconds { 0: }
</p>
</li>
<li>
<p>
int <strong>file_id.lookup_timeout</strong> = 2: give up on lookup after this many seconds { 0: }
</p>
</li>
<li>
<p>
bool <strong>file_id.block_timeout_lookup</strong> = false: block if lookup times out
</p>
</li>
<li>
<p>
bool <strong>file_id.enable_type</strong> = false: enable type ID
</p>
</li>
<li>
<p>
bool <strong>file_id.enable_signature</strong> = false: enable signature calculation
</p>
</li>
<li>
<p>
bool <strong>file_id.enable_capture</strong> = false: enable file capture
</p>
</li>
<li>
<p>
int <strong>file_id.show_data_depth</strong> = 100: print this many octets { 0: }
</p>
</li>
<li>
<p>
int <strong>file_id.file_rules[].rev</strong> = 0: rule revision { 0: }
</p>
</li>
<li>
<p>
string <strong>file_id.file_rules[].msg</strong>: information about the file type
</p>
</li>
<li>
<p>
string <strong>file_id.file_rules[].type</strong>: file type name
</p>
</li>
<li>
<p>
int <strong>file_id.file_rules[].id</strong> = 0: file type id { 0: }
</p>
</li>
<li>
<p>
string <strong>file_id.file_rules[].category</strong>: file type category
</p>
</li>
<li>
<p>
string <strong>file_id.file_rules[].version</strong>: file type version
</p>
</li>
<li>
<p>
string <strong>file_id.file_rules[].magic[].content</strong>: file magic content
</p>
</li>
<li>
<p>
int <strong>file_id.file_rules[].magic[].offset</strong> = 0: file magic offset { 0: }
</p>
</li>
<li>
<p>
bool <strong>file_id.trace_type</strong> = false: enable runtime dump of type info
</p>
</li>
<li>
<p>
bool <strong>file_id.trace_signature</strong> = false: enable runtime dump of signature info
</p>
</li>
<li>
<p>
bool <strong>file_id.trace_stream</strong> = false: enable runtime dump of file data
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_hosts">hosts</h3>
<div class="paragraph"><p>What: configure hosts</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
addr <strong>hosts[].ip</strong> = 0.0.0.0/32: hosts address / cidr
</p>
</li>
<li>
<p>
enum <strong>hosts[].frag_policy</strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }
</p>
</li>
<li>
<p>
enum <strong>hosts[].tcp_policy</strong>: tcp reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }
</p>
</li>
<li>
<p>
string <strong>hosts[].services[].name</strong>: service identifier
</p>
</li>
<li>
<p>
enum <strong>hosts[].services[].proto</strong> = tcp: ip protocol { tcp | udp }
</p>
</li>
<li>
<p>
port <strong>hosts[].services[].port</strong>: port number
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ips">ips</h3>
<div class="paragraph"><p>What: configure IPS rule processing</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>ips.enable_builtin_rules</strong> = false: enable events from builtin rules w/o stubs
</p>
</li>
<li>
<p>
int <strong>ips.id</strong> = 0: correlate unified2 events with configuration { 0:65535 }
</p>
</li>
<li>
<p>
string <strong>ips.include</strong>: legacy snort rules and includes
</p>
</li>
<li>
<p>
enum <strong>ips.mode</strong>: set policy mode { tap | inline | inline-test }
</p>
</li>
<li>
<p>
string <strong>ips.rules</strong>: snort rules and includes
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_network">network</h3>
<div class="paragraph"><p>What: configure basic network parameters</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
multi <strong>network.checksum_drop</strong> = none: drop if checksum is bad { all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }
</p>
</li>
<li>
<p>
multi <strong>network.checksum_eval</strong> = none: checksums to verify { all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }
</p>
</li>
<li>
<p>
bool <strong>network.decode_drops</strong> = false: enable dropping of packets by the decoder
</p>
</li>
<li>
<p>
int <strong>network.id</strong> = 0: correlate unified2 events with configuration { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>network.min_ttl</strong> = 1: alert / normalize packets with lower ttl / hop limit (you must enable rules and / or normalization also) { 1:255 }
</p>
</li>
<li>
<p>
int <strong>network.new_ttl</strong> = 1: use this value for responses and when normalizing { 1:255 }
</p>
</li>
<li>
<p>
int <strong>network.layers</strong> = 40: The maximum number of protocols that Snort can correctly decode { 3:255 }
</p>
</li>
<li>
<p>
int <strong>network.max_ip6_extensions</strong> = 0: The number of IP6 options Snort will process for a given IPv6 layer. If this limit is hit, rule 116:456 may fire.  0 = unlimited { 0:255 }
</p>
</li>
<li>
<p>
int <strong>network.max_ip_layers</strong> = 0: The maximum number of IP layers Snort will process for a given packet If this limit is hit, rule 116:293 may fire.  0 = unlimited { 0:255 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_output">output</h3>
<div class="paragraph"><p>What: configure general output parameters</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>output.dump_chars_only</strong> = false: turns on character dumps (same as -C)
</p>
</li>
<li>
<p>
bool <strong>output.dump_payload</strong> = false: dumps application layer (same as -d)
</p>
</li>
<li>
<p>
bool <strong>output.dump_payload_verbose</strong> = false: dumps raw packet starting at link layer (same as -X)
</p>
</li>
<li>
<p>
bool <strong>output.log_ipv6_extra_data</strong> = false: log IPv6 source and destination addresses as unified2 extra data records
</p>
</li>
<li>
<p>
int <strong>output.event_trace.max_data</strong> = 0: maximum amount of packet data to capture { 0:65535 }
</p>
</li>
<li>
<p>
bool <strong>output.quiet</strong> = false: suppress non-fatal information (still show alerts, same as -q)
</p>
</li>
<li>
<p>
string <strong>output.logdir</strong> = .: where to put log files (same as -l)
</p>
</li>
<li>
<p>
bool <strong>output.obfuscate</strong> = false: obfuscate the logged IP addresses (same as -O)
</p>
</li>
<li>
<p>
bool <strong>output.show_year</strong> = false: include year in timestamp in the alert and log files (same as -y)
</p>
</li>
<li>
<p>
int <strong>output.tagged_packet_limit</strong> = 256: maximum number of packets tagged for non-packet metrics { 0: }
</p>
</li>
<li>
<p>
bool <strong>output.verbose</strong> = false: be verbose (same as -v)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_packets">packets</h3>
<div class="paragraph"><p>What: configure basic packet handling</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>packets.address_space_agnostic</strong> = false: determines whether DAQ address space info is used to track fragments and connections
</p>
</li>
<li>
<p>
string <strong>packets.bpf_file</strong>: file with BPF to select traffic for Snort
</p>
</li>
<li>
<p>
bool <strong>packets.enable_inline_init_failopen</strong> = true: whether to pass traffic during later stage of initialization to avoid drops
</p>
</li>
<li>
<p>
int <strong>packets.limit</strong> = 0: maximum number of packets to process before stopping (0 is unlimited) { 0: }
</p>
</li>
<li>
<p>
int <strong>packets.skip</strong> = 0: number of packets to skip before before processing { 0: }
</p>
</li>
<li>
<p>
bool <strong>packets.vlan_agnostic</strong> = false: determines whether VLAN info is used to track fragments and connections
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_process">process</h3>
<div class="paragraph"><p>What: configure basic process setup</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>process.chroot</strong>: set chroot directory (same as -t)
</p>
</li>
<li>
<p>
int <strong>process.threads[].cpu</strong> = 0: pin the associated source/thread to this cpu { 0:127 }
</p>
</li>
<li>
<p>
string <strong>process.threads[].source</strong>: set cpu affinity for this source (either pcap or &lt;iface&gt;
</p>
</li>
<li>
<p>
int <strong>process.threads[].thread</strong> = 0: set cpu affinity for the &lt;cur_thread_num&gt; thread that runs { 0: }
</p>
</li>
<li>
<p>
bool <strong>process.daemon</strong> = false: fork as a daemon (same as -D)
</p>
</li>
<li>
<p>
bool <strong>process.dirty_pig</strong> = false: shutdown without internal cleanup
</p>
</li>
<li>
<p>
string <strong>process.set_gid</strong>: set group ID (same as -g)
</p>
</li>
<li>
<p>
string <strong>process.set_uid</strong>: set user ID (same as -u)
</p>
</li>
<li>
<p>
string <strong>process.umask</strong>: set process umask (same as -m)
</p>
</li>
<li>
<p>
bool <strong>process.utc</strong> = false: use UTC instead of local time for timestamps
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_rate_filter">rate_filter</h3>
<div class="paragraph"><p>What: configure rate filters (which change rule actions)</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>rate_filter[].gid</strong> = 1: rule generator ID { 0: }
</p>
</li>
<li>
<p>
int <strong>rate_filter[].sid</strong> = 1: rule signature ID { 0: }
</p>
</li>
<li>
<p>
enum <strong>rate_filter[].track</strong> = by_src: filter only matching source or destination addresses { by_src | by_dst | by_rule }
</p>
</li>
<li>
<p>
int <strong>rate_filter[].count</strong> = 1: number of events in interval before tripping { 0: }
</p>
</li>
<li>
<p>
int <strong>rate_filter[].seconds</strong> = 1: count interval { 0: }
</p>
</li>
<li>
<p>
select <strong>rate_filter[].new_action</strong> = alert: take this action on future hits until timeout { alert | drop | log | pass | | reject | sdrop }
</p>
</li>
<li>
<p>
int <strong>rate_filter[].timeout</strong> = 1: count interval { 0: }
</p>
</li>
<li>
<p>
string <strong>rate_filter[].apply_to</strong>: restrict filter to these addresses according to track
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_references">references</h3>
<div class="paragraph"><p>What: define reference systems used in rules</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>references[].name</strong>: name used with reference rule option
</p>
</li>
<li>
<p>
string <strong>references[].url</strong>: where this reference is defined
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_rule_state">rule_state</h3>
<div class="paragraph"><p>What: enable/disable specific IPS rules</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>rule_state.gid</strong> = 0: rule generator ID { 0: }
</p>
</li>
<li>
<p>
int <strong>rule_state.sid</strong> = 0: rule signature ID { 0: }
</p>
</li>
<li>
<p>
bool <strong>rule_state.enable</strong> = true: enable or disable rule in all policies
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_search_engine">search_engine</h3>
<div class="paragraph"><p>What: configure fast pattern matcher</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>search_engine.bleedover_port_limit</strong> = 1024: maximum ports in rule before demotion to any-any port group { 1: }
</p>
</li>
<li>
<p>
bool <strong>search_engine.bleedover_warnings_enabled</strong> = false: print warning if a rule is demoted to any-any port group
</p>
</li>
<li>
<p>
bool <strong>search_engine.enable_single_rule_group</strong> = false: put all rules into one group
</p>
</li>
<li>
<p>
bool <strong>search_engine.debug</strong> = false: print verbose fast pattern info
</p>
</li>
<li>
<p>
bool <strong>search_engine.debug_print_nocontent_rule_tests</strong> = false: print rule group info during packet evaluation
</p>
</li>
<li>
<p>
bool <strong>search_engine.debug_print_rule_group_build_details</strong> = false: print rule group info during compilation
</p>
</li>
<li>
<p>
bool <strong>search_engine.debug_print_rule_groups_uncompiled</strong> = false: prints uncompiled rule group information
</p>
</li>
<li>
<p>
bool <strong>search_engine.debug_print_rule_groups_compiled</strong> = false: prints compiled rule group information
</p>
</li>
<li>
<p>
bool <strong>search_engine.debug_print_fast_pattern</strong> = false: print fast pattern info for each rule
</p>
</li>
<li>
<p>
int <strong>search_engine.max_pattern_len</strong> = 0: truncate patterns when compiling into state machine (0 means no maximum) { 0: }
</p>
</li>
<li>
<p>
int <strong>search_engine.max_queue_events</strong> = 5: maximum number of matching fast pattern states to queue per packet
</p>
</li>
<li>
<p>
bool <strong>search_engine.inspect_stream_inserts</strong> = false: inspect reassembled payload - disabling is good for performance, bad for detection
</p>
</li>
<li>
<p>
dynamic <strong>search_engine.search_method</strong> = ac_bnfa_q: set fast pattern algorithm - choose available search engine { ac_banded | ac_bnfa | ac_bnfa_q | ac_full | ac_full_q | ac_sparse | ac_sparse_bands | ac_std }
</p>
</li>
<li>
<p>
bool <strong>search_engine.split_any_any</strong> = false: evaluate any-any rules separately to save memory
</p>
</li>
<li>
<p>
bool <strong>search_engine.search_optimize</strong> = false: tweak state machine construction for better performance
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_snort">snort</h3>
<div class="paragraph"><p>What: command line configuration and shell commands</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>snort.-?</strong>: &lt;option prefix&gt; output matching command line option quick help (same as --help-options) { (optional) }
</p>
</li>
<li>
<p>
string <strong>snort.-A</strong>: &lt;mode&gt; set alert mode: none, cmg, or alert_*
</p>
</li>
<li>
<p>
addr <strong>snort.-B</strong> = 255.255.255.255/32: &lt;mask&gt; obfuscated IP addresses in alerts and packet dumps using CIDR mask
</p>
</li>
<li>
<p>
implied <strong>snort.-C</strong>: print out payloads with character data only (no hex)
</p>
</li>
<li>
<p>
string <strong>snort.-c</strong>: &lt;conf&gt; use this configuration
</p>
</li>
<li>
<p>
implied <strong>snort.-D</strong>: run Snort in background (daemon) mode
</p>
</li>
<li>
<p>
implied <strong>snort.-d</strong>: dump the Application Layer
</p>
</li>
<li>
<p>
implied <strong>snort.-e</strong>: display the second layer header info
</p>
</li>
<li>
<p>
implied <strong>snort.-f</strong>: turn off fflush() calls after binary log writes
</p>
</li>
<li>
<p>
int <strong>snort.-G</strong>: &lt;0xid&gt; (same as --logid) { 0:65535 }
</p>
</li>
<li>
<p>
string <strong>snort.-g</strong>: &lt;gname&gt; run snort gid as &lt;gname&gt; group (or gid) after initialization
</p>
</li>
<li>
<p>
implied <strong>snort.-H</strong>: make hash tables deterministic
</p>
</li>
<li>
<p>
string <strong>snort.-i</strong>: &lt;iface&gt;&#8230; list of interfaces
</p>
</li>
<li>
<p>
port <strong>snort.-j</strong>: &lt;port&gt; to listen for telnet connections
</p>
</li>
<li>
<p>
enum <strong>snort.-k</strong> = all: &lt;mode&gt; checksum mode; default is all { all|noip|notcp|noudp|noicmp|none }
</p>
</li>
<li>
<p>
string <strong>snort.-L</strong>: &lt;mode&gt; logging mode (none, dump, pcap, or log_*)
</p>
</li>
<li>
<p>
string <strong>snort.-l</strong>: &lt;logdir&gt; log to this directory instead of current directory
</p>
</li>
<li>
<p>
implied <strong>snort.-M</strong>: log messages to syslog (not alerts)
</p>
</li>
<li>
<p>
int <strong>snort.-m</strong>: &lt;umask&gt; set umask = &lt;umask&gt; { 0: }
</p>
</li>
<li>
<p>
int <strong>snort.-n</strong>: &lt;count&gt; stop after count packets { 0: }
</p>
</li>
<li>
<p>
implied <strong>snort.-O</strong>: obfuscate the logged IP addresses
</p>
</li>
<li>
<p>
implied <strong>snort.-Q</strong>: enable inline mode operation
</p>
</li>
<li>
<p>
implied <strong>snort.-q</strong>: quiet mode - Don&#8217;t show banner and status report
</p>
</li>
<li>
<p>
string <strong>snort.-R</strong>: &lt;rules&gt; include this rules file in the default policy
</p>
</li>
<li>
<p>
string <strong>snort.-r</strong>: &lt;pcap&gt;&#8230; (same as --pcap-list)
</p>
</li>
<li>
<p>
string <strong>snort.-S</strong>: &lt;x=v&gt; set config variable x equal to value v
</p>
</li>
<li>
<p>
int <strong>snort.-s</strong> = 1514: &lt;snap&gt; (same as --snaplen); default is 1514 { 68:65535 }
</p>
</li>
<li>
<p>
implied <strong>snort.-T</strong>: test and report on the current Snort configuration
</p>
</li>
<li>
<p>
string <strong>snort.-t</strong>: &lt;dir&gt; chroots process to &lt;dir&gt; after initialization
</p>
</li>
<li>
<p>
implied <strong>snort.-U</strong>: use UTC for timestamps
</p>
</li>
<li>
<p>
string <strong>snort.-u</strong>: &lt;uname&gt; run snort as &lt;uname&gt; or &lt;uid&gt; after initialization
</p>
</li>
<li>
<p>
implied <strong>snort.-V</strong>: (same as --version)
</p>
</li>
<li>
<p>
implied <strong>snort.-v</strong>: be verbose
</p>
</li>
<li>
<p>
implied <strong>snort.-W</strong>: lists available interfaces
</p>
</li>
<li>
<p>
implied <strong>snort.-w</strong>: dump 802.11 management and control frames
</p>
</li>
<li>
<p>
implied <strong>snort.-X</strong>: dump the raw packet data starting at the link layer
</p>
</li>
<li>
<p>
implied <strong>snort.-x</strong>: same as --pedantic
</p>
</li>
<li>
<p>
implied <strong>snort.-y</strong>: include year in timestamp in the alert and log files
</p>
</li>
<li>
<p>
int <strong>snort.-z</strong> = 1: &lt;count&gt; maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 { 0: }
</p>
</li>
<li>
<p>
implied <strong>snort.--alert-before-pass</strong>: process alert, drop, sdrop, or reject before pass; default is pass before alert, drop,&#8230;
</p>
</li>
<li>
<p>
string <strong>snort.--bpf</strong>: &lt;filter options&gt; are standard BPF options, as seen in TCPDump
</p>
</li>
<li>
<p>
string <strong>snort.--c2x</strong>: output hex for given char (see also --x2c)
</p>
</li>
<li>
<p>
implied <strong>snort.--create-pidfile</strong>: create PID file, even when not in Daemon mode
</p>
</li>
<li>
<p>
string <strong>snort.--daq</strong>: &lt;type&gt; select packet acquisition module (default is pcap)
</p>
</li>
<li>
<p>
string <strong>snort.--daq-dir</strong>: &lt;dir&gt; tell snort where to find desired DAQ
</p>
</li>
<li>
<p>
implied <strong>snort.--daq-list</strong>: list packet acquisition modules available in optional dir, default is static modules only
</p>
</li>
<li>
<p>
string <strong>snort.--daq-mode</strong>: &lt;mode&gt; select the DAQ operating mode
</p>
</li>
<li>
<p>
string <strong>snort.--daq-var</strong>: &lt;name=value&gt; specify extra DAQ configuration variable
</p>
</li>
<li>
<p>
implied <strong>snort.--dirty-pig</strong>: don&#8217;t flush packets on shutdown
</p>
</li>
<li>
<p>
implied <strong>snort.--dump-builtin-rules</strong>: [&lt;module prefix&gt;] output stub rules for selected modules
</p>
</li>
<li>
<p>
implied <strong>snort.--dump-dynamic-rules</strong>: output stub rules for all loaded rules libraries
</p>
</li>
<li>
<p>
string <strong>snort.--dump-defaults</strong>: [&lt;module prefix&gt;] output module defaults in Lua format { (optional) }
</p>
</li>
<li>
<p>
string <strong>snort.--dump-version</strong>: output the version, the whole version, and only the version { (optional) }
</p>
</li>
<li>
<p>
implied <strong>snort.--enable-inline-test</strong>: enable Inline-Test Mode Operation
</p>
</li>
<li>
<p>
implied <strong>snort.--help</strong>: list command line options
</p>
</li>
<li>
<p>
string <strong>snort.--help-commands</strong>: [&lt;module prefix&gt;] output matching commands { (optional) }
</p>
</li>
<li>
<p>
string <strong>snort.--help-config</strong>: [&lt;module prefix&gt;] output matching config options { (optional) }
</p>
</li>
<li>
<p>
string <strong>snort.--help-counts</strong>: [&lt;module prefix&gt;] output matching peg counts { (optional) }
</p>
</li>
<li>
<p>
string <strong>snort.--help-module</strong>: &lt;module&gt; output description of given module
</p>
</li>
<li>
<p>
implied <strong>snort.--help-modules</strong>: list all available modules with brief help
</p>
</li>
<li>
<p>
string <strong>snort.--help-options</strong>: &lt;option prefix&gt; output matching command line option quick help (same as -?) { (optional) }
</p>
</li>
<li>
<p>
implied <strong>snort.--help-plugins</strong>: list all available plugins with brief help
</p>
</li>
<li>
<p>
implied <strong>snort.--help-signals</strong>: dump available control signals
</p>
</li>
<li>
<p>
implied <strong>snort.--id-subdir</strong>: create/use instance subdirectories in logdir instead of instance filename prefix
</p>
</li>
<li>
<p>
implied <strong>snort.--id-zero</strong>: use id prefix / subdirectory even with one packet thread
</p>
</li>
<li>
<p>
implied <strong>snort.--list-buffers</strong>: output available inspection buffers
</p>
</li>
<li>
<p>
string <strong>snort.--list-builtin</strong>: &lt;module prefix&gt; output matching builtin rules { (optional) }
</p>
</li>
<li>
<p>
string <strong>snort.--list-gids</strong>: [&lt;module prefix&gt;] output matching generators { (optional) }
</p>
</li>
<li>
<p>
string <strong>snort.--list-modules</strong>: [&lt;module type&gt;] list all known modules of given type { (optional) }
</p>
</li>
<li>
<p>
implied <strong>snort.--list-plugins</strong>: list all known plugins
</p>
</li>
<li>
<p>
string <strong>snort.--lua</strong>: &lt;chunk&gt; extend/override conf with chunk; may be repeated
</p>
</li>
<li>
<p>
int <strong>snort.--logid</strong>: &lt;0xid&gt; log Identifier to uniquely id events for multiple snorts (same as -G) { 0:65535 }
</p>
</li>
<li>
<p>
implied <strong>snort.--markup</strong>: output help in asciidoc compatible format
</p>
</li>
<li>
<p>
int <strong>snort.--max-packet-threads</strong> = 1: &lt;count&gt; configure maximum number of packet threads (same as -z) { 0: }
</p>
</li>
<li>
<p>
implied <strong>snort.--nostamps</strong>: don&#8217;t include timestamps in log file names
</p>
</li>
<li>
<p>
implied <strong>snort.--nolock-pidfile</strong>: do not try to lock Snort PID file
</p>
</li>
<li>
<p>
implied <strong>snort.--pause</strong>: wait for resume/quit command before processing packets/terminating
</p>
</li>
<li>
<p>
string <strong>snort.--pcap-file</strong>: &lt;file&gt; file that contains a list of pcaps to read - read mode is implied
</p>
</li>
<li>
<p>
string <strong>snort.--pcap-list</strong>: &lt;list&gt; a space separated list of pcaps to read - read mode is implied
</p>
</li>
<li>
<p>
string <strong>snort.--pcap-dir</strong>: &lt;dir&gt; a directory to recurse to look for pcaps - read mode is implied
</p>
</li>
<li>
<p>
string <strong>snort.--pcap-filter</strong>: &lt;filter&gt; filter to apply when getting pcaps from file or directory
</p>
</li>
<li>
<p>
int <strong>snort.--pcap-loop</strong>: &lt;count&gt; read all pcaps &lt;count&gt; times;  0 will read until Snort is terminated { -1: }
</p>
</li>
<li>
<p>
implied <strong>snort.--pcap-no-filter</strong>: reset to use no filter when getting pcaps from file or directory
</p>
</li>
<li>
<p>
implied <strong>snort.--pcap-reload</strong>: if reading multiple pcaps, reload snort config between pcaps
</p>
</li>
<li>
<p>
implied <strong>snort.--pcap-show</strong>: print a line saying what pcap is currently being read
</p>
</li>
<li>
<p>
implied <strong>snort.--pedantic</strong>: warnings are fatal
</p>
</li>
<li>
<p>
string <strong>snort.--plugin-path</strong>: &lt;path&gt; where to find plugins
</p>
</li>
<li>
<p>
implied <strong>snort.--process-all-events</strong>: process all action groups
</p>
</li>
<li>
<p>
string <strong>snort.--rule</strong>: &lt;rules&gt; to be added to configuration; may be repeated
</p>
</li>
<li>
<p>
implied <strong>snort.--rule-to-hex</strong>: output so rule header to stdout for text rule on stdin
</p>
</li>
<li>
<p>
implied <strong>snort.--rule-to-text</strong>: output plain so rule header to stdout for text rule on stdin
</p>
</li>
<li>
<p>
string <strong>snort.--run-prefix</strong>: &lt;pfx&gt; prepend this to each output file
</p>
</li>
<li>
<p>
string <strong>snort.--script-path</strong>: &lt;path&gt; to a luajit script or directory containing luajit scripts
</p>
</li>
<li>
<p>
implied <strong>snort.--shell</strong>: enable the interactive command line
</p>
</li>
<li>
<p>
implied <strong>snort.--piglet</strong>: enable piglet test harness mode
</p>
</li>
<li>
<p>
implied <strong>snort.--show-plugins</strong>: list module and plugin versions
</p>
</li>
<li>
<p>
int <strong>snort.--skip</strong>: &lt;n&gt; skip 1st n packets { 0: }
</p>
</li>
<li>
<p>
int <strong>snort.--snaplen</strong> = 1514: &lt;snap&gt; set snaplen of packet (same as -s) { 68:65535 }
</p>
</li>
<li>
<p>
implied <strong>snort.--stdin-rules</strong>: read rules from stdin until EOF or a line starting with END is read
</p>
</li>
<li>
<p>
implied <strong>snort.--treat-drop-as-alert</strong>: converts drop, sdrop, and reject rules into alert rules during startup
</p>
</li>
<li>
<p>
implied <strong>snort.--treat-drop-as-ignore</strong>: use drop, sdrop, and reject rules to ignore session traffic when not inline
</p>
</li>
<li>
<p>
string <strong>snort.--catch-test</strong>: comma separated list of cat unit test tags or <em>all</em>
</p>
</li>
<li>
<p>
implied <strong>snort.--version</strong>: show version number (same as -V)
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-all</strong>: enable all warnings
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-conf</strong>: warn about configuration issues
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-daq</strong>: warn about DAQ issues, usually related to mode
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-flowbits</strong>: warn about flowbits that are checked but not set and vice-versa
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-hosts</strong>: warn about host table issues
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-plugins</strong>: warn about issues that prevent plugins from loading
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-rules</strong>: warn about duplicate rules and rule parsing issues
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-scripts</strong>: warn about issues discovered while processing Lua scripts
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-symbols</strong>: warn about unknown symbols in your Lua config
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-vars</strong>: warn about variable definition and usage issues
</p>
</li>
<li>
<p>
int <strong>snort.--x2c</strong>: output ASCII char for given hex (see also --c2x)
</p>
</li>
<li>
<p>
string <strong>snort.--x2s</strong>: output ASCII string for given byte code (see also --x2c)
</p>
</li>
</ul></div>
<div class="paragraph"><p>Commands:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>snort.show_plugins</strong>(): show available plugins
</p>
</li>
<li>
<p>
<strong>snort.dump_stats</strong>(): show summary statistics
</p>
</li>
<li>
<p>
<strong>snort.rotate_stats</strong>(): roll perfmonitor log files
</p>
</li>
<li>
<p>
<strong>snort.reload_config</strong>(filename): load new configuration
</p>
</li>
<li>
<p>
<strong>snort.reload_hosts</strong>(filename): load a new hosts table
</p>
</li>
<li>
<p>
<strong>snort.pause</strong>(): suspend packet processing
</p>
</li>
<li>
<p>
<strong>snort.resume</strong>(): continue packet processing
</p>
</li>
<li>
<p>
<strong>snort.detach</strong>(): exit shell w/o shutdown
</p>
</li>
<li>
<p>
<strong>snort.quit</strong>(): shutdown and dump-stats
</p>
</li>
<li>
<p>
<strong>snort.help</strong>(): this output
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>snort.local commands</strong>: total local commands processed
</p>
</li>
<li>
<p>
<strong>snort.remote commands</strong>: total remote commands processed
</p>
</li>
<li>
<p>
<strong>snort.signals</strong>: total signals processed
</p>
</li>
<li>
<p>
<strong>snort.conf reloads</strong>: number of times configuration was reloaded
</p>
</li>
<li>
<p>
<strong>snort.attribute table reloads</strong>: number of times hosts table was reloaded
</p>
</li>
<li>
<p>
<strong>snort.attribute table hosts</strong>: total number of hosts in table
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_suppress">suppress</h3>
<div class="paragraph"><p>What: configure event suppressions</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>suppress[].gid</strong> = 0: rule generator ID { 0: }
</p>
</li>
<li>
<p>
int <strong>suppress[].sid</strong> = 0: rule signature ID { 0: }
</p>
</li>
<li>
<p>
enum <strong>suppress[].track</strong>: suppress only matching source or destination addresses { by_src | by_dst }
</p>
</li>
<li>
<p>
string <strong>suppress[].ip</strong>: restrict suppression to these addresses according to track
</p>
</li>
</ul></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_codec_modules">Codec Modules</h2>
<div class="sectionbody">
<div class="paragraph"><p>Codec is short for coder / decoder.  These modules are used for basic
protocol decoding, anomaly detection, and construction of active responses.</p></div>
<div class="sect2">
<h3 id="_arp">arp</h3>
<div class="paragraph"><p>What: support for address resolution protocol</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:109</strong> (arp) truncated ARP
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_auth">auth</h3>
<div class="paragraph"><p>What: support for IP authentication header</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:465</strong> (auth) truncated authentication header
</p>
</li>
<li>
<p>
<strong>116:466</strong> (auth) bad authentication header length
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_eapol">eapol</h3>
<div class="paragraph"><p>What: support for extensible authentication protocol over LAN</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:110</strong> (eapol) truncated EAP header
</p>
</li>
<li>
<p>
<strong>116:111</strong> (eapol) EAP key truncated
</p>
</li>
<li>
<p>
<strong>116:112</strong> (eapol) EAP header truncated
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_erspan2">erspan2</h3>
<div class="paragraph"><p>What: support for encapsulated remote switched port analyzer - type 2</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:462</strong> (erspan2) ERSpan header version mismatch
</p>
</li>
<li>
<p>
<strong>116:463</strong> (erspan2) captured &lt; ERSpan type2 header length
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_erspan3">erspan3</h3>
<div class="paragraph"><p>What: support for encapsulated remote switched port analyzer - type 3</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:464</strong> (erspan3) captured &lt; ERSpan type3 header length
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_esp">esp</h3>
<div class="paragraph"><p>What: support for encapsulating security payload</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>esp.decode_esp</strong> = false: enable for inspection of esp traffic that has authentication but not encryption
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:294</strong> (esp) truncated encapsulated security payload header
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_eth">eth</h3>
<div class="paragraph"><p>What: support for ethernet protocol (DLT 1) (DLT 51)</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:424</strong> (eth) truncated eth header
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_fabricpath">fabricpath</h3>
<div class="paragraph"><p>What: support for fabricpath</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:467</strong> (fabricpath) truncated FabricPath header
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_gre">gre</h3>
<div class="paragraph"><p>What: support for generic routing encapsulation</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:160</strong> (gre) GRE header length &gt; payload length
</p>
</li>
<li>
<p>
<strong>116:161</strong> (gre) multiple encapsulations in packet
</p>
</li>
<li>
<p>
<strong>116:162</strong> (gre) invalid GRE version
</p>
</li>
<li>
<p>
<strong>116:163</strong> (gre) invalid GRE header
</p>
</li>
<li>
<p>
<strong>116:164</strong> (gre) invalid GRE v.1 PPTP header
</p>
</li>
<li>
<p>
<strong>116:165</strong> (gre) GRE trans header length &gt; payload length
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_gtp">gtp</h3>
<div class="paragraph"><p>What: support for general-packet-radio-service tunnelling protocol</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:297</strong> (gtp) two or more GTP encapsulation layers present
</p>
</li>
<li>
<p>
<strong>116:298</strong> (gtp) GTP header length is invalid
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_icmp4">icmp4</h3>
<div class="paragraph"><p>What: support for Internet control message protocol v4</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:105</strong> (icmp4) ICMP header truncated
</p>
</li>
<li>
<p>
<strong>116:106</strong> (icmp4) ICMP timestamp header truncated
</p>
</li>
<li>
<p>
<strong>116:107</strong> (icmp4) ICMP address header truncated
</p>
</li>
<li>
<p>
<strong>116:250</strong> (icmp4) ICMP original IP header truncated
</p>
</li>
<li>
<p>
<strong>116:251</strong> (icmp4) ICMP version and original IP header versions differ
</p>
</li>
<li>
<p>
<strong>116:252</strong> (icmp4) ICMP original datagram length &lt; original IP header length
</p>
</li>
<li>
<p>
<strong>116:253</strong> (icmp4) ICMP original IP payload &lt; 64 bits
</p>
</li>
<li>
<p>
<strong>116:254</strong> (icmp4) ICMP original IP payload &gt; 576 bytes
</p>
</li>
<li>
<p>
<strong>116:255</strong> (icmp4) ICMP original IP fragmented and offset not 0
</p>
</li>
<li>
<p>
<strong>116:415</strong> (icmp4) ICMP4 packet to multicast dest address
</p>
</li>
<li>
<p>
<strong>116:416</strong> (icmp4) ICMP4 packet to broadcast dest address
</p>
</li>
<li>
<p>
<strong>116:418</strong> (icmp4) ICMP4 type other
</p>
</li>
<li>
<p>
<strong>116:434</strong> (icmp4) ICMP ping NMAP
</p>
</li>
<li>
<p>
<strong>116:435</strong> (icmp4) ICMP icmpenum v1.1.1
</p>
</li>
<li>
<p>
<strong>116:436</strong> (icmp4) ICMP redirect host
</p>
</li>
<li>
<p>
<strong>116:437</strong> (icmp4) ICMP redirect net
</p>
</li>
<li>
<p>
<strong>116:438</strong> (icmp4) ICMP traceroute ipopts
</p>
</li>
<li>
<p>
<strong>116:439</strong> (icmp4) ICMP source quench
</p>
</li>
<li>
<p>
<strong>116:440</strong> (icmp4) broadscan smurf scanner
</p>
</li>
<li>
<p>
<strong>116:441</strong> (icmp4) ICMP destination unreachable communication administratively prohibited
</p>
</li>
<li>
<p>
<strong>116:442</strong> (icmp4) ICMP destination unreachable communication with destination host is administratively prohibited
</p>
</li>
<li>
<p>
<strong>116:443</strong> (icmp4) ICMP destination unreachable communication with destination network is administratively prohibited
</p>
</li>
<li>
<p>
<strong>116:451</strong> (icmp4) ICMP path MTU denial of service attempt
</p>
</li>
<li>
<p>
<strong>116:452</strong> (icmp4) BAD-TRAFFIC Linux ICMP header DOS attempt
</p>
</li>
<li>
<p>
<strong>116:426</strong> (icmp4) truncated ICMP4 header
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>icmp4.bad checksum</strong>: non-zero icmp checksums
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_icmp6">icmp6</h3>
<div class="paragraph"><p>What: support for Internet control message protocol v6</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:427</strong> (icmp6) truncated ICMP6 header
</p>
</li>
<li>
<p>
<strong>116:431</strong> (icmp6) ICMP6 type not decoded
</p>
</li>
<li>
<p>
<strong>116:432</strong> (icmp6) ICMP6 packet to multicast address
</p>
</li>
<li>
<p>
<strong>116:285</strong> (icmp6) ICMPv6 packet of type 2 (message too big) with MTU field &lt; 1280
</p>
</li>
<li>
<p>
<strong>116:286</strong> (icmp6) ICMPv6 packet of type 1 (destination unreachable) with non-RFC 2463 code
</p>
</li>
<li>
<p>
<strong>116:287</strong> (icmp6) ICMPv6 router solicitation packet with a code not equal to 0
</p>
</li>
<li>
<p>
<strong>116:288</strong> (icmp6) ICMPv6 router advertisement packet with a code not equal to 0
</p>
</li>
<li>
<p>
<strong>116:289</strong> (icmp6) ICMPv6 router solicitation packet with the reserved field not equal to 0
</p>
</li>
<li>
<p>
<strong>116:290</strong> (icmp6) ICMPv6 router advertisement packet with the reachable time field set &gt; 1 hour
</p>
</li>
<li>
<p>
<strong>116:457</strong> (icmp6) ICMPv6 packet of type 1 (destination unreachable) with non-RFC 4443 code
</p>
</li>
<li>
<p>
<strong>116:460</strong> (icmp6) ICMPv6 node info query/response packet with a code greater than 2
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>icmp6.bad checksum (ip4)</strong>: nonzero ipcm4 checksums
</p>
</li>
<li>
<p>
<strong>icmp6.bad checksum (ip6)</strong>: nonzero ipcm6 checksums
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_igmp">igmp</h3>
<div class="paragraph"><p>What: support for Internet group management protocol</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:455</strong> (igmp) DOS IGMP IP options validation attempt
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ipv4">ipv4</h3>
<div class="paragraph"><p>What: support for Internet protocol v4</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:1</strong> (ipv4) Not IPv4 datagram
</p>
</li>
<li>
<p>
<strong>116:2</strong> (ipv4) hlen &lt; minimum
</p>
</li>
<li>
<p>
<strong>116:3</strong> (ipv4) IP dgm len &lt; IP Hdr len
</p>
</li>
<li>
<p>
<strong>116:4</strong> (ipv4) Ipv4 Options found with bad lengths
</p>
</li>
<li>
<p>
<strong>116:5</strong> (ipv4) Truncated Ipv4 Options
</p>
</li>
<li>
<p>
<strong>116:6</strong> (ipv4) IP dgm len &gt; captured len
</p>
</li>
<li>
<p>
<strong>116:404</strong> (ipv4) IPV4 packet with zero TTL
</p>
</li>
<li>
<p>
<strong>116:405</strong> (ipv4) IPV4 packet with bad frag bits (both MF and DF set)
</p>
</li>
<li>
<p>
<strong>116:407</strong> (ipv4) IPV4 packet frag offset + length exceed maximum
</p>
</li>
<li>
<p>
<strong>116:408</strong> (ipv4) IPV4 packet from <em>current net</em> source address
</p>
</li>
<li>
<p>
<strong>116:409</strong> (ipv4) IPV4 packet to <em>current net</em> dest address
</p>
</li>
<li>
<p>
<strong>116:410</strong> (ipv4) IPV4 packet from multicast source address
</p>
</li>
<li>
<p>
<strong>116:411</strong> (ipv4) IPV4 packet from reserved source address
</p>
</li>
<li>
<p>
<strong>116:412</strong> (ipv4) IPV4 packet to reserved dest address
</p>
</li>
<li>
<p>
<strong>116:413</strong> (ipv4) IPV4 packet from broadcast source address
</p>
</li>
<li>
<p>
<strong>116:414</strong> (ipv4) IPV4 packet to broadcast dest address
</p>
</li>
<li>
<p>
<strong>116:428</strong> (ipv4) IPV4 packet below TTL limit
</p>
</li>
<li>
<p>
<strong>116:430</strong> (ipv4) IPV4 packet both DF and offset set
</p>
</li>
<li>
<p>
<strong>116:448</strong> (ipv4) BAD-TRAFFIC IP reserved bit set
</p>
</li>
<li>
<p>
<strong>116:444</strong> (ipv4) MISC IP option set
</p>
</li>
<li>
<p>
<strong>116:425</strong> (ipv4) truncated IP4 header
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>ipv4.bad checksum</strong>: nonzero ip checksums
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ipv6">ipv6</h3>
<div class="paragraph"><p>What: support for Internet protocol v6</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:270</strong> (ipv6) IPv6 packet below TTL limit
</p>
</li>
<li>
<p>
<strong>116:271</strong> (ipv6) IPv6 header claims to not be IPv6
</p>
</li>
<li>
<p>
<strong>116:272</strong> (ipv6) IPV6 truncated extension header
</p>
</li>
<li>
<p>
<strong>116:273</strong> (ipv6) IPV6 truncated header
</p>
</li>
<li>
<p>
<strong>116:274</strong> (ipv6) IP dgm len &lt; IP Hdr len
</p>
</li>
<li>
<p>
<strong>116:275</strong> (ipv6) IP dgm len &gt; captured len
</p>
</li>
<li>
<p>
<strong>116:276</strong> (ipv6) IPv6 packet with destination address ::0
</p>
</li>
<li>
<p>
<strong>116:277</strong> (ipv6) IPv6 packet with multicast source address
</p>
</li>
<li>
<p>
<strong>116:278</strong> (ipv6) IPv6 packet with reserved multicast destination address
</p>
</li>
<li>
<p>
<strong>116:279</strong> (ipv6) IPv6 header includes an undefined option type
</p>
</li>
<li>
<p>
<strong>116:280</strong> (ipv6) IPv6 address includes an unassigned multicast scope value
</p>
</li>
<li>
<p>
<strong>116:281</strong> (ipv6) IPv6 header includes an invalid value for the <em>next header</em> field
</p>
</li>
<li>
<p>
<strong>116:282</strong> (ipv6) IPv6 header includes a routing extension header followed by a hop-by-hop header
</p>
</li>
<li>
<p>
<strong>116:283</strong> (ipv6) IPv6 header includes two routing extension headers
</p>
</li>
<li>
<p>
<strong>116:292</strong> (ipv6) IPv6 header has destination options followed by a routing header
</p>
</li>
<li>
<p>
<strong>116:291</strong> (ipv6) IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux kernel attack
</p>
</li>
<li>
<p>
<strong>116:295</strong> (ipv6) IPv6 header includes an option which is too big for the containing header
</p>
</li>
<li>
<p>
<strong>116:296</strong> (ipv6) IPv6 packet includes out-of-order extension headers
</p>
</li>
<li>
<p>
<strong>116:429</strong> (ipv6) IPV6 packet has zero hop limit
</p>
</li>
<li>
<p>
<strong>116:453</strong> (ipv6) BAD-TRAFFIC ISATAP-addressed IPv6 traffic spoofing attempt
</p>
</li>
<li>
<p>
<strong>116:458</strong> (ipv6) bogus fragmentation packet, possible BSD attack
</p>
</li>
<li>
<p>
<strong>116:461</strong> (ipv6) IPV6 routing type 0 extension header
</p>
</li>
<li>
<p>
<strong>116:456</strong> (ipv6) too many IP6 extension headers
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_mpls">mpls</h3>
<div class="paragraph"><p>What: support for multiprotocol label switching</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>mpls.enable_mpls_multicast</strong> = false: enables support for MPLS multicast
</p>
</li>
<li>
<p>
bool <strong>mpls.enable_mpls_overlapping_ip</strong> = false: enable if private network addresses overlap and must be differentiated by MPLS label(s)
</p>
</li>
<li>
<p>
int <strong>mpls.max_mpls_stack_depth</strong> = -1: set MPLS stack depth { -1: }
</p>
</li>
<li>
<p>
enum <strong>mpls.mpls_payload_type</strong> = ip4: set encapsulated payload type { eth | ip4 | ip6 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:170</strong> (mpls) bad MPLS frame
</p>
</li>
<li>
<p>
<strong>116:171</strong> (mpls) MPLS label 0 appears in non-bottom header
</p>
</li>
<li>
<p>
<strong>116:172</strong> (mpls) MPLS label 1 appears in bottom header
</p>
</li>
<li>
<p>
<strong>116:173</strong> (mpls) MPLS label 2 appears in non-bottom header
</p>
</li>
<li>
<p>
<strong>116:174</strong> (mpls) MPLS label 3 appears in header
</p>
</li>
<li>
<p>
<strong>116:175</strong> (mpls) MPLS label 4, 5,.. or 15 appears in header
</p>
</li>
<li>
<p>
<strong>116:176</strong> (mpls) too many MPLS headers
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_pgm">pgm</h3>
<div class="paragraph"><p>What: support for pragmatic general multicast</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:454</strong> (pgm) BAD-TRAFFIC PGM nak list overflow attempt
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_pppoe">pppoe</h3>
<div class="paragraph"><p>What: support for point-to-point protocol over ethernet</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:120</strong> (pppoe) bad PPPOE frame detected
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_tcp">tcp</h3>
<div class="paragraph"><p>What: support for transmission control protocol</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:45</strong> (tcp) TCP packet len is smaller than 20 bytes
</p>
</li>
<li>
<p>
<strong>116:46</strong> (tcp) TCP data offset is less than 5
</p>
</li>
<li>
<p>
<strong>116:47</strong> (tcp) TCP header length exceeds packet length
</p>
</li>
<li>
<p>
<strong>116:54</strong> (tcp) TCP options found with bad lengths
</p>
</li>
<li>
<p>
<strong>116:55</strong> (tcp) truncated TCP options
</p>
</li>
<li>
<p>
<strong>116:56</strong> (tcp) T/TCP detected
</p>
</li>
<li>
<p>
<strong>116:57</strong> (tcp) obsolete TCP options found
</p>
</li>
<li>
<p>
<strong>116:58</strong> (tcp) experimental TCP options found
</p>
</li>
<li>
<p>
<strong>116:59</strong> (tcp) TCP window scale option found with length &gt; 14
</p>
</li>
<li>
<p>
<strong>116:400</strong> (tcp) XMAS attack detected
</p>
</li>
<li>
<p>
<strong>116:401</strong> (tcp) Nmap XMAS attack detected
</p>
</li>
<li>
<p>
<strong>116:419</strong> (tcp) TCP urgent pointer exceeds payload length or no payload
</p>
</li>
<li>
<p>
<strong>116:420</strong> (tcp) TCP SYN with FIN
</p>
</li>
<li>
<p>
<strong>116:421</strong> (tcp) TCP SYN with RST
</p>
</li>
<li>
<p>
<strong>116:422</strong> (tcp) TCP PDU missing ack for established session
</p>
</li>
<li>
<p>
<strong>116:423</strong> (tcp) TCP has no SYN, ACK, or RST
</p>
</li>
<li>
<p>
<strong>116:433</strong> (tcp) DDOS shaft SYN flood
</p>
</li>
<li>
<p>
<strong>116:446</strong> (tcp) BAD-TRAFFIC TCP port 0 traffic
</p>
</li>
<li>
<p>
<strong>116:402</strong> (tcp) DOS NAPTHA vulnerability detected
</p>
</li>
<li>
<p>
<strong>116:403</strong> (tcp) bad traffic SYN to multicast address
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>tcp.bad checksum (ip4)</strong>: nonzero tcp over ip checksums
</p>
</li>
<li>
<p>
<strong>tcp.bad checksum (ip6)</strong>: nonzero tcp over ipv6 checksums
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_token_ring">token_ring</h3>
<div class="paragraph"><p>What: support for token ring decoding</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:140</strong> (token_ring) (token_ring) Bad Token Ring Header
</p>
</li>
<li>
<p>
<strong>116:141</strong> (token_ring) (token_ring) Bad Token Ring ETHLLC Header
</p>
</li>
<li>
<p>
<strong>116:142</strong> (token_ring) (token_ring) Bad Token Ring MRLENHeader
</p>
</li>
<li>
<p>
<strong>116:143</strong> (token_ring) (token_ring) Bad Token Ring MR Header
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_udp">udp</h3>
<div class="paragraph"><p>What: support for user datagram protocol</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>udp.deep_teredo_inspection</strong> = false: look for Teredo on all UDP ports (default is only 3544)
</p>
</li>
<li>
<p>
bool <strong>udp.enable_gtp</strong> = false: decode GTP encapsulations
</p>
</li>
<li>
<p>
bit_list <strong>udp.gtp_ports</strong> = 2152 3386: set GTP ports { 65535 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:95</strong> (udp) truncated UDP header
</p>
</li>
<li>
<p>
<strong>116:96</strong> (udp) invalid UDP header, length field &lt; 8
</p>
</li>
<li>
<p>
<strong>116:97</strong> (udp) short UDP packet, length field &gt; payload length
</p>
</li>
<li>
<p>
<strong>116:98</strong> (udp) long UDP packet, length field &lt; payload length
</p>
</li>
<li>
<p>
<strong>116:406</strong> (udp) invalid IPv6 UDP packet, checksum zero
</p>
</li>
<li>
<p>
<strong>116:445</strong> (udp) misc large UDP Packet
</p>
</li>
<li>
<p>
<strong>116:447</strong> (udp) BAD-TRAFFIC UDP port 0 traffic
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>udp.bad checksum (ip4)</strong>: nonzero udp over ipv4 checksums
</p>
</li>
<li>
<p>
<strong>udp.bad checksum (ip6)</strong>: nonzero udp over ipv6 checksums
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_vlan">vlan</h3>
<div class="paragraph"><p>What: support for local area network</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:130</strong> (vlan) bad VLAN frame
</p>
</li>
<li>
<p>
<strong>116:131</strong> (vlan) bad LLC header
</p>
</li>
<li>
<p>
<strong>116:132</strong> (vlan) bad extra LLC info
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_wlan">wlan</h3>
<div class="paragraph"><p>What: support for wireless local area network protocol (DLT 105)</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:133</strong> (wlan) bad 802.11 LLC header
</p>
</li>
<li>
<p>
<strong>116:134</strong> (wlan) bad 802.11 extra LLC info
</p>
</li>
</ul></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_inspector_modules">Inspector Modules</h2>
<div class="sectionbody">
<div class="paragraph"><p>These modules perform a variety of functions, including analysis of
protocols beyond basic decoding.</p></div>
<div class="sect2">
<h3 id="_arp_spoof">arp_spoof</h3>
<div class="paragraph"><p>What: detect ARP attacks and anomalies</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
ip4 <strong>arp_spoof.hosts[].ip</strong>: host ip address
</p>
</li>
<li>
<p>
mac <strong>arp_spoof.hosts[].mac</strong>: host mac address
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>112:1</strong> (arp_spoof) unicast ARP request
</p>
</li>
<li>
<p>
<strong>112:2</strong> (arp_spoof) ethernet/ARP mismatch request for source
</p>
</li>
<li>
<p>
<strong>112:3</strong> (arp_spoof) ethernet/ARP mismatch request for destination
</p>
</li>
<li>
<p>
<strong>112:4</strong> (arp_spoof) attempted ARP cache overwrite attack
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>arp_spoof.packets</strong>: total packets
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_back_orifice">back_orifice</h3>
<div class="paragraph"><p>What: back orifice detection</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>105:1</strong> (back_orifice) BO traffic detected
</p>
</li>
<li>
<p>
<strong>105:2</strong> (back_orifice) BO client traffic detected
</p>
</li>
<li>
<p>
<strong>105:3</strong> (back_orifice) BO server traffic detected
</p>
</li>
<li>
<p>
<strong>105:4</strong> (back_orifice) BO Snort buffer attack
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>back_orifice.packets</strong>: total packets
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_binder">binder</h3>
<div class="paragraph"><p>What: configure processing based on CIDRs, ports, services, etc.</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>binder[].when.policy_id</strong> = 0: unique ID for selection of this config by external logic { 0: }
</p>
</li>
<li>
<p>
bit_list <strong>binder[].when.ifaces</strong>: list of interface indices { 255 }
</p>
</li>
<li>
<p>
bit_list <strong>binder[].when.vlans</strong>: list of VLAN IDs { 4095 }
</p>
</li>
<li>
<p>
addr_list <strong>binder[].when.nets</strong>: list of networks
</p>
</li>
<li>
<p>
enum <strong>binder[].when.proto</strong>: protocol { any | ip | icmp | tcp | udp | user | file }
</p>
</li>
<li>
<p>
bit_list <strong>binder[].when.ports</strong>: list of ports { 65535 }
</p>
</li>
<li>
<p>
enum <strong>binder[].when.role</strong> = any: use the given configuration on one or any end of a session { client | server | any }
</p>
</li>
<li>
<p>
string <strong>binder[].when.service</strong>: override default configuration
</p>
</li>
<li>
<p>
enum <strong>binder[].use.action</strong> = inspect: what to do with matching traffic { reset | block | allow | inspect }
</p>
</li>
<li>
<p>
string <strong>binder[].use.file</strong>: use configuration in given file
</p>
</li>
<li>
<p>
string <strong>binder[].use.service</strong>: override automatic service identification
</p>
</li>
<li>
<p>
string <strong>binder[].use.type</strong>: select module for binding
</p>
</li>
<li>
<p>
string <strong>binder[].use.name</strong>: symbol name (defaults to type)
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>binder.packets</strong>: initial bindings
</p>
</li>
<li>
<p>
<strong>binder.resets</strong>: reset bindings
</p>
</li>
<li>
<p>
<strong>binder.blocks</strong>: block bindings
</p>
</li>
<li>
<p>
<strong>binder.allows</strong>: allow bindings
</p>
</li>
<li>
<p>
<strong>binder.inspects</strong>: inspect bindings
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_data_log">data_log</h3>
<div class="paragraph"><p>What: log selected published data to data.log</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>data_log.key</strong> = http_uri: name of data buffer to log
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>data_log.packets</strong>: total packets
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_dns">dns</h3>
<div class="paragraph"><p>What: dns inspection</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>131:1</strong> (dns) Obsolete DNS RR Types
</p>
</li>
<li>
<p>
<strong>131:2</strong> (dns) Experimental DNS RR Types
</p>
</li>
<li>
<p>
<strong>131:3</strong> (dns) DNS Client rdata txt Overflow
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>dns.packets</strong>: total packets processed
</p>
</li>
<li>
<p>
<strong>dns.requests</strong>: total dns requests
</p>
</li>
<li>
<p>
<strong>dns.responses</strong>: total dns responses
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_dpx">dpx</h3>
<div class="paragraph"><p>What: dynamic inspector example</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
port <strong>dpx.port</strong>: port to check
</p>
</li>
<li>
<p>
int <strong>dpx.max</strong> = 0: maximum payload before alert { 0:65535 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>256:1</strong> (dpx) too much data sent to port
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>dpx.packets</strong>: total packets
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ftp_client">ftp_client</h3>
<div class="paragraph"><p>What: FTP client configuration module for use with ftp_server</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>ftp_client.bounce</strong> = false: check for bounces
</p>
</li>
<li>
<p>
addr <strong>ftp_client.bounce_to[].address</strong> = 1.0.0.0/32: allowed ip address in CIDR format
</p>
</li>
<li>
<p>
port <strong>ftp_client.bounce_to[].port</strong> = 20: allowed port { 1: }
</p>
</li>
<li>
<p>
port <strong>ftp_client.bounce_to[].last_port</strong>: optional allowed range from port to last_port inclusive { 0: }
</p>
</li>
<li>
<p>
bool <strong>ftp_client.ignore_telnet_erase_cmds</strong> = false: ignore erase character and erase line commands when normalizing
</p>
</li>
<li>
<p>
int <strong>ftp_client.max_resp_len</strong> = -1: maximum ftp response accepted by client { -1: }
</p>
</li>
<li>
<p>
bool <strong>ftp_client.telnet_cmds</strong> = false: detect telnet escape sequences on ftp control channel
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ftp_data">ftp_data</h3>
<div class="paragraph"><p>What: FTP data channel handler</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>ftp_data.packets</strong>: total packets
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ftp_server">ftp_server</h3>
<div class="paragraph"><p>What: main FTP module; ftp_client should also be configured</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>ftp_server.chk_str_fmt</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
string <strong>ftp_server.data_chan_cmds</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
string <strong>ftp_server.data_xfer_cmds</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
string <strong>ftp_server.directory_cmds[].dir_cmd</strong>: directory command
</p>
</li>
<li>
<p>
int <strong>ftp_server.directory_cmds[].rsp_code</strong> = 200: expected successful response code for command { 200: }
</p>
</li>
<li>
<p>
string <strong>ftp_server.file_put_cmds</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
string <strong>ftp_server.file_get_cmds</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
string <strong>ftp_server.encr_cmds</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
string <strong>ftp_server.login_cmds</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
bool <strong>ftp_server.check_encrypted</strong> = false: check for end of encryption
</p>
</li>
<li>
<p>
string <strong>ftp_server.cmd_validity[].command</strong>: command string
</p>
</li>
<li>
<p>
string <strong>ftp_server.cmd_validity[].format</strong>: format specification
</p>
</li>
<li>
<p>
int <strong>ftp_server.cmd_validity[].length</strong> = 0: specify non-default maximum for command { 0: }
</p>
</li>
<li>
<p>
int <strong>ftp_server.def_max_param_len</strong> = 100: default maximum length of commands handled by server; 0 is unlimited { 1: }
</p>
</li>
<li>
<p>
bool <strong>ftp_server.encrypted_traffic</strong> = false: check for encrypted telnet and ftp
</p>
</li>
<li>
<p>
string <strong>ftp_server.ftp_cmds</strong>: specify additional commands supported by server beyond RFC 959
</p>
</li>
<li>
<p>
bool <strong>ftp_server.ignore_data_chan</strong> = false: do not inspect ftp data channels
</p>
</li>
<li>
<p>
bool <strong>ftp_server.ignore_telnet_erase_cmds</strong> = false: ignore erase character and erase line commands when normalizing
</p>
</li>
<li>
<p>
bool <strong>ftp_server.print_cmds</strong> = false: print command configurations on start up
</p>
</li>
<li>
<p>
bool <strong>ftp_server.telnet_cmds</strong> = false: detect telnet escape sequences of ftp control channel
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>125:1</strong> (ftp_server) TELNET cmd on FTP command channel
</p>
</li>
<li>
<p>
<strong>125:2</strong> (ftp_server) invalid FTP command
</p>
</li>
<li>
<p>
<strong>125:3</strong> (ftp_server) FTP command parameters were too long
</p>
</li>
<li>
<p>
<strong>125:4</strong> (ftp_server) FTP command parameters were malformed
</p>
</li>
<li>
<p>
<strong>125:5</strong> (ftp_server) FTP command parameters contained potential string format
</p>
</li>
<li>
<p>
<strong>125:6</strong> (ftp_server) FTP response message was too long
</p>
</li>
<li>
<p>
<strong>125:7</strong> (ftp_server) FTP traffic encrypted
</p>
</li>
<li>
<p>
<strong>125:8</strong> (ftp_server) FTP bounce attempt
</p>
</li>
<li>
<p>
<strong>125:9</strong> (ftp_server) evasive (incomplete) TELNET cmd on FTP command channel
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>ftp_server.packets</strong>: total packets
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_gtp_inspect">gtp_inspect</h3>
<div class="paragraph"><p>What: gtp control channel inspection</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>gtp_inspect[].version</strong> = 2: gtp version { 0:2 }
</p>
</li>
<li>
<p>
int <strong>gtp_inspect[].messages[].type</strong> = 0: message type code { 0:255 }
</p>
</li>
<li>
<p>
string <strong>gtp_inspect[].messages[].name</strong>: message name
</p>
</li>
<li>
<p>
int <strong>gtp_inspect[].infos[].type</strong> = 0: information element type code { 0:255 }
</p>
</li>
<li>
<p>
string <strong>gtp_inspect[].infos[].name</strong>: information element name
</p>
</li>
<li>
<p>
int <strong>gtp_inspect[].infos[].length</strong> = 0: information element type code { 0:255 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>143:1</strong> (gtp_inspect) message length is invalid
</p>
</li>
<li>
<p>
<strong>143:2</strong> (gtp_inspect) information element length is invalid
</p>
</li>
<li>
<p>
<strong>143:3</strong> (gtp_inspect) information elements are out of order
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>gtp_inspect.sessions</strong>: total sessions processed
</p>
</li>
<li>
<p>
<strong>gtp_inspect.events</strong>: requests
</p>
</li>
<li>
<p>
<strong>gtp_inspect.unknown types</strong>: unknown message types
</p>
</li>
<li>
<p>
<strong>gtp_inspect.unknown infos</strong>: unknown information elements
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_http_global">http_global</h3>
<div class="paragraph"><p>What: http inspector global configuration and client rules for use with http_server</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>http_global.compress_depth</strong> = 65535: maximum amount of packet payload to decompress { 1:65535 }
</p>
</li>
<li>
<p>
int <strong>http_global.decode.b64_decode_depth</strong> = 0: single packet decode depth { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>http_global.decode.bitenc_decode_depth</strong> = 0: single packet decode depth { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>http_global.decode.max_mime_mem</strong> = 838860: single packet decode depth { 3276: }
</p>
</li>
<li>
<p>
int <strong>http_global.decode.qp_decode_depth</strong> = 0: single packet decode depth { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>http_global.decode.uu_decode_depth</strong> = 0: single packet decode depth { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>http_global.decompress_depth</strong> = 65535: maximum amount of decompressed data to process { 1:65535 }
</p>
</li>
<li>
<p>
bool <strong>http_global.detect_anomalous_servers</strong> = false: inspect non-configured ports for HTTP - bad idea
</p>
</li>
<li>
<p>
int <strong>http_global.max_gzip_mem</strong> = 838860: total memory used for decompression across all active sessions { 3276: }
</p>
</li>
<li>
<p>
int <strong>http_global.memcap</strong> = 150994944: limit of memory used for logging extra data { 2304: }
</p>
</li>
<li>
<p>
bool <strong>http_global.proxy_alert</strong> = false: alert on proxy usage for servers without allow_proxy_use
</p>
</li>
<li>
<p>
int <strong>http_global.unicode_map.code_page</strong> = 1252: select code page in map file { 0: }
</p>
</li>
<li>
<p>
string <strong>http_global.unicode_map.map_file</strong>: unicode map file
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>119:1</strong> (http_global) ascii encoding
</p>
</li>
<li>
<p>
<strong>119:2</strong> (http_global) double decoding attack
</p>
</li>
<li>
<p>
<strong>119:3</strong> (http_global) u encoding
</p>
</li>
<li>
<p>
<strong>119:4</strong> (http_global) bare byte unicode encoding
</p>
</li>
<li>
<p>
<strong>119:5</strong> (http_global) base36 encoding
</p>
</li>
<li>
<p>
<strong>119:6</strong> (http_global) UTF-8 encoding
</p>
</li>
<li>
<p>
<strong>119:7</strong> (http_global) IIS unicode codepoint encoding
</p>
</li>
<li>
<p>
<strong>119:8</strong> (http_global) multi_slash encoding
</p>
</li>
<li>
<p>
<strong>119:9</strong> (http_global) IIS backslash evasion
</p>
</li>
<li>
<p>
<strong>119:10</strong> (http_global) self directory traversal
</p>
</li>
<li>
<p>
<strong>119:11</strong> (http_global) directory traversal
</p>
</li>
<li>
<p>
<strong>119:12</strong> (http_global) apache whitespace (tab)
</p>
</li>
<li>
<p>
<strong>119:13</strong> (http_global) non-RFC http delimiter
</p>
</li>
<li>
<p>
<strong>119:14</strong> (http_global) non-RFC defined char
</p>
</li>
<li>
<p>
<strong>119:15</strong> (http_global) oversize request-URI directory
</p>
</li>
<li>
<p>
<strong>119:16</strong> (http_global) oversize chunk encoding
</p>
</li>
<li>
<p>
<strong>119:17</strong> (http_global) unauthorized proxy use detected
</p>
</li>
<li>
<p>
<strong>119:18</strong> (http_global) webroot directory traversal
</p>
</li>
<li>
<p>
<strong>119:19</strong> (http_global) long header
</p>
</li>
<li>
<p>
<strong>119:20</strong> (http_global) max header fields
</p>
</li>
<li>
<p>
<strong>119:21</strong> (http_global) multiple content length
</p>
</li>
<li>
<p>
<strong>119:22</strong> (http_global) chunk size mismatch detected
</p>
</li>
<li>
<p>
<strong>119:23</strong> (http_global) invalid ip in true-client-IP/XFF header
</p>
</li>
<li>
<p>
<strong>119:24</strong> (http_global) multiple host hdrs detected
</p>
</li>
<li>
<p>
<strong>119:25</strong> (http_global) hostname exceeds 255 characters
</p>
</li>
<li>
<p>
<strong>119:26</strong> (http_global) header parsing space saturation
</p>
</li>
<li>
<p>
<strong>119:27</strong> (http_global) client consecutive small chunk sizes
</p>
</li>
<li>
<p>
<strong>119:28</strong> (http_global) post w/o content-length or chunks
</p>
</li>
<li>
<p>
<strong>119:29</strong> (http_global) multiple true IPs in a session
</p>
</li>
<li>
<p>
<strong>119:30</strong> (http_global) both true-client-IP and XFF hdrs present
</p>
</li>
<li>
<p>
<strong>119:31</strong> (http_global) unknown method
</p>
</li>
<li>
<p>
<strong>119:32</strong> (http_global) simple request
</p>
</li>
<li>
<p>
<strong>119:33</strong> (http_global) unescaped space in http URI
</p>
</li>
<li>
<p>
<strong>119:34</strong> (http_global) too many pipelined requests
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>http_global.packets</strong>: total packets processed
</p>
</li>
<li>
<p>
<strong>http_global.gets</strong>: GET requests
</p>
</li>
<li>
<p>
<strong>http_global.posts</strong>: POST requests
</p>
</li>
<li>
<p>
<strong>http_global.request headers</strong>: total requests
</p>
</li>
<li>
<p>
<strong>http_global.response headers</strong>: total responses
</p>
</li>
<li>
<p>
<strong>http_global.request cookies</strong>: requests with Cookie
</p>
</li>
<li>
<p>
<strong>http_global.response cookies</strong>: responses with Set-Cookie
</p>
</li>
<li>
<p>
<strong>http_global.post params</strong>: POST parameters extracted
</p>
</li>
<li>
<p>
<strong>http_global.unicode</strong>: unicode normalizations
</p>
</li>
<li>
<p>
<strong>http_global.double unicode</strong>: double unicode normalizations
</p>
</li>
<li>
<p>
<strong>http_global.non-ascii</strong>: non-ascii normalizations
</p>
</li>
<li>
<p>
<strong>http_global.paths with ../</strong>: directory traversal normalizations
</p>
</li>
<li>
<p>
<strong>http_global.paths with //</strong>: double slash normalizations
</p>
</li>
<li>
<p>
<strong>http_global.paths with ./</strong>: relative directory normalizations
</p>
</li>
<li>
<p>
<strong>http_global.gzip packets</strong>: packets with gzip compression
</p>
</li>
<li>
<p>
<strong>http_global.compressed bytes</strong>: total comparessed bytes processed
</p>
</li>
<li>
<p>
<strong>http_global.decompressed bytes</strong>: total bytes decompressed
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_http_inspect">http_inspect</h3>
<div class="paragraph"><p>What: http inspection and server rules; also configure http_inspect</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>http_inspect.allow_proxy_use</strong> = false: don&#8217;t alert on proxy use for this server
</p>
</li>
<li>
<p>
bool <strong>http_inspect.decompress_pdf</strong> = false: enable decompression of the compressed portions of PDF files
</p>
</li>
<li>
<p>
bool <strong>http_inspect.decompress_swf</strong> = false: enable decompression of SWF (Adobe Flash content)
</p>
</li>
<li>
<p>
bool <strong>http_inspect.enable_cookies</strong> = true: extract cookies
</p>
</li>
<li>
<p>
bool <strong>http_inspect.enable_xff</strong> = false: log True-Client-IP and X-Forwarded-For headers with unified2 alerts as extra data
</p>
</li>
<li>
<p>
bool <strong>http_inspect.extended_ascii_uri</strong> = false: allow extended ASCII codes in the request URI
</p>
</li>
<li>
<p>
bool <strong>http_inspect.extended_response_inspection</strong> = true: extract response headers
</p>
</li>
<li>
<p>
string <strong>http_inspect.http_methods</strong> = GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA: request methods allowed in addition to GET and POST
</p>
</li>
<li>
<p>
bool <strong>http_inspect.inspect_gzip</strong> = true: enable gzip decompression of compressed bodies
</p>
</li>
<li>
<p>
bool <strong>http_inspect.inspect_uri_only</strong> = false: disable all detection except for uricontent
</p>
</li>
<li>
<p>
bool <strong>http_inspect.log_hostname</strong> = false: enable logging of Hostname with unified2 alerts as extra data
</p>
</li>
<li>
<p>
bool <strong>http_inspect.log_uri</strong> = false: enable logging of URI with unified2 alerts as extra data
</p>
</li>
<li>
<p>
bool <strong>http_inspect.no_pipeline_req</strong> = false: don&#8217;t inspect pipelined requests after first (still does general detection)
</p>
</li>
<li>
<p>
bit_list <strong>http_inspect.non_rfc_chars</strong> = 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07: alert on given non-RFC chars being present in the URI { 255 }
</p>
</li>
<li>
<p>
bool <strong>http_inspect.normalize_cookies</strong> = false: normalize cookies similar to URI
</p>
</li>
<li>
<p>
bool <strong>http_inspect.normalize_headers</strong> = false: normalize headers other than cookie similar to URI
</p>
</li>
<li>
<p>
int <strong>http_inspect.oversize_dir_length</strong> = 500: alert if a URL has a directory longer than this limit { 0: }
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.apache_whitespace</strong> = false: don&#8217;t alert if tab is used in lieu of space characters
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.ascii</strong> = false: enable decoding ASCII like %2f to /
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.bare_byte</strong> = false: decode non-standard, non-ASCII character encodings
</p>
</li>
<li>
<p>
int <strong>http_inspect.profile.chunk_length</strong> = 500000: alert on chunk lengths greater than specified { 1: }
</p>
</li>
<li>
<p>
int <strong>http_inspect.profile.client_flow_depth</strong> = 0: raw request payload to inspect { -1:1460 }
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.directory</strong> = false: normalize . and .. sequences out of URI
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.double_decode</strong> = false: iis specific extra decoding
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.iis_backslash</strong> = false: normalize directory slashes
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.iis_delimiter</strong> = false: allow use of non-standard delimiter
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.iis_unicode</strong> = false: enable unicode code point mapping using unicode_map settings
</p>
</li>
<li>
<p>
int <strong>http_inspect.profile.iis_unicode_map.code_page</strong> = 1252: select code page in map file { 0: }
</p>
</li>
<li>
<p>
string <strong>http_inspect.profile.iis_unicode_map.map_file</strong>: unicode map file
</p>
</li>
<li>
<p>
int <strong>http_inspect.profile.max_header_length</strong> = 750: maximum allowed client request header field { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>http_inspect.profile.max_headers</strong> = 100: maximum allowed client request headers { 0:1024 }
</p>
</li>
<li>
<p>
int <strong>http_inspect.profile.max_spaces</strong> = 200: maximum allowed whitespaces when folding { 0:65535 }
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.multi_slash</strong> = false: normalize out consecutive slashes in URI
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.non_strict</strong> = true: allows HTTP 0.9 processing
</p>
</li>
<li>
<p>
int <strong>http_inspect.profile.max_javascript_whitespaces</strong> = 200: maximum number of consecutive whitespaces { 0: }
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.normalize_utf</strong> = true: normalize response bodies with UTF content-types
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.normalize_javascript</strong> = true: normalize javascript between &lt;script&gt; tags
</p>
</li>
<li>
<p>
int <strong>http_inspect.profile.post_depth</strong> = 65495: amount of POST data to inspect { -1:65535 }
</p>
</li>
<li>
<p>
enum <strong>http_inspect.profile.profile_type</strong> = default: set defaults appropriate for selected server { default | apache | iis | iis_40 | iis_50 }
</p>
</li>
<li>
<p>
int <strong>http_inspect.profile.server_flow_depth</strong> = 0: response payload to inspect; includes headers with extended_response_inspection { -1:65535 }
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.u_encode</strong> = true: decode %uXXXX character sequences
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.utf_8</strong> = false: decode UTF-8 unicode sequences in URI
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.webroot</strong> = false: alert on directory traversals past the top level (web server root)
</p>
</li>
<li>
<p>
bit_list <strong>http_inspect.profile.whitespace_chars</strong>: allowed white space characters { 255 }
</p>
</li>
<li>
<p>
int <strong>http_inspect.small_chunk_count</strong> = 5: alert if more than this limit of consecutive chunks are below small_chunk_length { 0:255 }
</p>
</li>
<li>
<p>
int <strong>http_inspect.small_chunk_length</strong> = 10: alert if more than small_chunk_count consecutive chunks below this limit { 0:255 }
</p>
</li>
<li>
<p>
bool <strong>http_inspect.tab_uri_delimiter</strong> = false: whether a tab not preceded by a space is considered a delimiter or part of URI
</p>
</li>
<li>
<p>
bool <strong>http_inspect.unlimited_decompress</strong> = true: decompress across multiple packets
</p>
</li>
<li>
<p>
bool <strong>http_inspect.xff_headers</strong> = false: not implemented
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>120:1</strong> (http_inspect) anomalous http server on undefined HTTP port
</p>
</li>
<li>
<p>
<strong>120:2</strong> (http_inspect) invalid status code in HTTP response
</p>
</li>
<li>
<p>
<strong>120:3</strong> (http_inspect) no content-length or transfer-encoding in HTTP response
</p>
</li>
<li>
<p>
<strong>120:4</strong> (http_inspect) HTTP response has UTF charset which failed to normalize
</p>
</li>
<li>
<p>
<strong>120:5</strong> (http_inspect) HTTP response has UTF-7 charset
</p>
</li>
<li>
<p>
<strong>120:6</strong> (http_inspect) HTTP response gzip decompression failed
</p>
</li>
<li>
<p>
<strong>120:7</strong> (http_inspect) server consecutive small chunk sizes
</p>
</li>
<li>
<p>
<strong>120:8</strong> (http_inspect) invalid content-length or chunk size
</p>
</li>
<li>
<p>
<strong>120:9</strong> (http_inspect) javascript obfuscation levels exceeds 1
</p>
</li>
<li>
<p>
<strong>120:10</strong> (http_inspect) javascript whitespaces exceeds max allowed
</p>
</li>
<li>
<p>
<strong>120:11</strong> (http_inspect) multiple encodings within javascript obfuscated data
</p>
</li>
<li>
<p>
<strong>120:12</strong> (http_inspect) HTTP response SWF file zlib decompression failure
</p>
</li>
<li>
<p>
<strong>120:13</strong> (http_inspect) HTTP response SWF file LZMA decompression failure
</p>
</li>
<li>
<p>
<strong>120:14</strong> (http_inspect) HTTP response PDF file deflate decompression failure
</p>
</li>
<li>
<p>
<strong>120:15</strong> (http_inspect) HTTP response PDF file unsupported compression type
</p>
</li>
<li>
<p>
<strong>120:16</strong> (http_inspect) HTTP response PDF file cascaded compression
</p>
</li>
<li>
<p>
<strong>120:17</strong> (http_inspect) HTTP response PDF file parse failure
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_imap">imap</h3>
<div class="paragraph"><p>What: imap inspection</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>imap.b64_decode_depth</strong> = 1460:  base64 decoding depth { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>imap.bitenc_decode_depth</strong> = 1460:  Non-Encoded MIME attachment extraction depth { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>imap.qp_decode_depth</strong> = 1460:  Quoted Printable decoding depth { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>imap.uu_decode_depth</strong> = 1460:  Unix-to-Unix decoding depth { -1:65535 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>141:1</strong> (imap) Unknown IMAP3 command
</p>
</li>
<li>
<p>
<strong>141:2</strong> (imap) Unknown IMAP3 response
</p>
</li>
<li>
<p>
<strong>141:4</strong> (imap) Base64 Decoding failed.
</p>
</li>
<li>
<p>
<strong>141:5</strong> (imap) Quoted-Printable Decoding failed.
</p>
</li>
<li>
<p>
<strong>141:7</strong> (imap) Unix-to-Unix Decoding failed.
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>imap.packets</strong>: total packets
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_modbus">modbus</h3>
<div class="paragraph"><p>What: modbus inspection</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>144:1</strong> (modbus) length in Modbus MBAP header does not match the length needed for the given function
</p>
</li>
<li>
<p>
<strong>144:2</strong> (modbus) Modbus protocol ID is non-zero
</p>
</li>
<li>
<p>
<strong>144:3</strong> (modbus) Reserved Modbus function code in use
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>modbus.sessions</strong>: total sessions processed
</p>
</li>
<li>
<p>
<strong>modbus.frames</strong>: total Modbus messages
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_new_http_inspect">new_http_inspect</h3>
<div class="paragraph"><p>What: new HTTP inspector</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>new_http_inspect.request_depth</strong> = -1: maximum request message body bytes to examine (-1 no limit) { -1: }
</p>
</li>
<li>
<p>
int <strong>new_http_inspect.response_depth</strong> = -1: maximum response message body bytes to examine (-1 no limit) { -1: }
</p>
</li>
<li>
<p>
bool <strong>new_http_inspect.unzip</strong> = true: decompress gzip and deflate message bodies
</p>
</li>
<li>
<p>
bool <strong>new_http_inspect.test_input</strong> = false: read HTTP messages from text file
</p>
</li>
<li>
<p>
bool <strong>new_http_inspect.test_output</strong> = false: print out HTTP section data
</p>
</li>
<li>
<p>
int <strong>new_http_inspect.print_amount</strong> = 1200: number of characters to print from a Field { 1:1000000 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>219:1</strong> (new_http_inspect) ascii encoding
</p>
</li>
<li>
<p>
<strong>219:2</strong> (new_http_inspect) double decoding attack
</p>
</li>
<li>
<p>
<strong>219:3</strong> (new_http_inspect) u encoding
</p>
</li>
<li>
<p>
<strong>219:4</strong> (new_http_inspect) bare byte unicode encoding
</p>
</li>
<li>
<p>
<strong>219:5</strong> (new_http_inspect) obsolete event&#8212;should not appear
</p>
</li>
<li>
<p>
<strong>219:6</strong> (new_http_inspect) UTF-8 encoding
</p>
</li>
<li>
<p>
<strong>219:7</strong> (new_http_inspect) IIS unicode codepoint encoding
</p>
</li>
<li>
<p>
<strong>219:8</strong> (new_http_inspect) multi_slash encoding
</p>
</li>
<li>
<p>
<strong>219:9</strong> (new_http_inspect) IIS backslash evasion
</p>
</li>
<li>
<p>
<strong>219:10</strong> (new_http_inspect) self directory traversal
</p>
</li>
<li>
<p>
<strong>219:11</strong> (new_http_inspect) directory traversal
</p>
</li>
<li>
<p>
<strong>219:12</strong> (new_http_inspect) apache whitespace (tab)
</p>
</li>
<li>
<p>
<strong>219:13</strong> (new_http_inspect) non-RFC http delimiter
</p>
</li>
<li>
<p>
<strong>219:14</strong> (new_http_inspect) non-RFC defined char
</p>
</li>
<li>
<p>
<strong>219:15</strong> (new_http_inspect) oversize request-uri directory
</p>
</li>
<li>
<p>
<strong>219:16</strong> (new_http_inspect) oversize chunk encoding
</p>
</li>
<li>
<p>
<strong>219:17</strong> (new_http_inspect) unauthorized proxy use detected
</p>
</li>
<li>
<p>
<strong>219:18</strong> (new_http_inspect) webroot directory traversal
</p>
</li>
<li>
<p>
<strong>219:19</strong> (new_http_inspect) long header
</p>
</li>
<li>
<p>
<strong>219:20</strong> (new_http_inspect) max header fields
</p>
</li>
<li>
<p>
<strong>219:21</strong> (new_http_inspect) multiple content length
</p>
</li>
<li>
<p>
<strong>219:22</strong> (new_http_inspect) chunk size mismatch detected
</p>
</li>
<li>
<p>
<strong>219:23</strong> (new_http_inspect) invalid IP in true-client-IP/XFF header
</p>
</li>
<li>
<p>
<strong>219:24</strong> (new_http_inspect) multiple host hdrs detected
</p>
</li>
<li>
<p>
<strong>219:25</strong> (new_http_inspect) hostname exceeds 255 characters
</p>
</li>
<li>
<p>
<strong>219:26</strong> (new_http_inspect) header parsing space saturation
</p>
</li>
<li>
<p>
<strong>219:27</strong> (new_http_inspect) client consecutive small chunk sizes
</p>
</li>
<li>
<p>
<strong>219:28</strong> (new_http_inspect) post w/o content-length or chunks
</p>
</li>
<li>
<p>
<strong>219:29</strong> (new_http_inspect) multiple true ips in a session
</p>
</li>
<li>
<p>
<strong>219:30</strong> (new_http_inspect) both true-client-IP and XFF hdrs present
</p>
</li>
<li>
<p>
<strong>219:31</strong> (new_http_inspect) unknown method
</p>
</li>
<li>
<p>
<strong>219:32</strong> (new_http_inspect) simple request
</p>
</li>
<li>
<p>
<strong>219:33</strong> (new_http_inspect) unescaped space in HTTP URI
</p>
</li>
<li>
<p>
<strong>219:34</strong> (new_http_inspect) too many pipelined requests
</p>
</li>
<li>
<p>
<strong>219:35</strong> (new_http_inspect) anomalous http server on undefined HTTP port
</p>
</li>
<li>
<p>
<strong>219:36</strong> (new_http_inspect) invalid status code in HTTP response
</p>
</li>
<li>
<p>
<strong>219:37</strong> (new_http_inspect) no content-length or transfer-encoding in HTTP response
</p>
</li>
<li>
<p>
<strong>219:38</strong> (new_http_inspect) HTTP response has UTF charset which failed to normalize
</p>
</li>
<li>
<p>
<strong>219:39</strong> (new_http_inspect) HTTP response has UTF-7 charset
</p>
</li>
<li>
<p>
<strong>219:40</strong> (new_http_inspect) HTTP response gzip decompression failed
</p>
</li>
<li>
<p>
<strong>219:41</strong> (new_http_inspect) server consecutive small chunk sizes
</p>
</li>
<li>
<p>
<strong>219:42</strong> (new_http_inspect) invalid content-length or chunk size
</p>
</li>
<li>
<p>
<strong>219:43</strong> (new_http_inspect) javascript obfuscation levels exceeds 1
</p>
</li>
<li>
<p>
<strong>219:44</strong> (new_http_inspect) javascript whitespaces exceeds max allowed
</p>
</li>
<li>
<p>
<strong>219:45</strong> (new_http_inspect) multiple encodings within javascript obfuscated data
</p>
</li>
<li>
<p>
<strong>219:46</strong> (new_http_inspect) SWF file zlib decompression failure
</p>
</li>
<li>
<p>
<strong>219:47</strong> (new_http_inspect) SWF file LZMA decompression failure
</p>
</li>
<li>
<p>
<strong>219:48</strong> (new_http_inspect) PDF file deflate decompression failure
</p>
</li>
<li>
<p>
<strong>219:49</strong> (new_http_inspect) PDF file unsupported compression type
</p>
</li>
<li>
<p>
<strong>219:50</strong> (new_http_inspect) PDF file cascaded compression
</p>
</li>
<li>
<p>
<strong>219:51</strong> (new_http_inspect) PDF file parse failure
</p>
</li>
<li>
<p>
<strong>219:52</strong> (new_http_inspect) HTTP misformatted or not really HTTP
</p>
</li>
<li>
<p>
<strong>219:53</strong> (new_http_inspect) Chunk length has excessive leading zeros
</p>
</li>
<li>
<p>
<strong>219:54</strong> (new_http_inspect) White space before or between messages
</p>
</li>
<li>
<p>
<strong>219:55</strong> (new_http_inspect) Request message without URI
</p>
</li>
<li>
<p>
<strong>219:56</strong> (new_http_inspect) Control character in reason phrase
</p>
</li>
<li>
<p>
<strong>219:57</strong> (new_http_inspect) Illegal extra whitespace in start line
</p>
</li>
<li>
<p>
<strong>219:58</strong> (new_http_inspect) Corrupted HTTP version
</p>
</li>
<li>
<p>
<strong>219:59</strong> (new_http_inspect) Unknown HTTP version
</p>
</li>
<li>
<p>
<strong>219:60</strong> (new_http_inspect) Format error in HTTP header
</p>
</li>
<li>
<p>
<strong>219:61</strong> (new_http_inspect) Chunk header options present
</p>
</li>
<li>
<p>
<strong>219:62</strong> (new_http_inspect) URI badly formatted
</p>
</li>
<li>
<p>
<strong>219:63</strong> (new_http_inspect) URI bad port number
</p>
</li>
<li>
<p>
<strong>219:64</strong> (new_http_inspect) HTTP chunk misformatted
</p>
</li>
<li>
<p>
<strong>219:65</strong> (new_http_inspect) White space following chunk length
</p>
</li>
<li>
<p>
<strong>219:67</strong> (new_http_inspect) Excessive gzip compression
</p>
</li>
<li>
<p>
<strong>219:68</strong> (new_http_inspect) Gzip decompression failed
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_normalizer">normalizer</h3>
<div class="paragraph"><p>What: packet scrubbing for inline mode</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>normalizer.ip4.base</strong> = true: clear options
</p>
</li>
<li>
<p>
bool <strong>normalizer.ip4.df</strong> = false: clear don&#8217;t frag flag
</p>
</li>
<li>
<p>
bool <strong>normalizer.ip4.rf</strong> = false: clear reserved flag
</p>
</li>
<li>
<p>
bool <strong>normalizer.ip4.tos</strong> = false: clear tos / differentiated services byte
</p>
</li>
<li>
<p>
bool <strong>normalizer.ip4.trim</strong> = false: truncate excess payload beyond datagram length
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.base</strong> = true: clear reserved bits and option padding and fix urgent pointer / flags issues
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.block</strong> = true: allow packet drops during TCP normalization
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.urp</strong> = true: adjust urgent pointer if beyond segment length
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.ips</strong> = false: ensure consistency in retransmitted data
</p>
</li>
<li>
<p>
select <strong>normalizer.tcp.ecn</strong> = off: clear ecn for all packets | sessions w/o ecn setup { off | packet | stream }
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.pad</strong> = true: clear any option padding bytes
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.trim_syn</strong> = false: remove data on SYN
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.trim_rst</strong> = false: remove any data from RST packet
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.trim_win</strong> = false: trim data to window
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.trim_mss</strong> = false: trim data to MSS
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.trim</strong> = false: enable all of the TCP trim options
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.opts</strong> = true: clear all options except mss, wscale, timestamp, and any explicitly allowed
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.req_urg</strong> = true: clear the urgent pointer if the urgent flag is not set
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.req_pay</strong> = true: clear the urgent pointer and the urgent flag if there is no payload
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.rsv</strong> = true: clear the reserved bits in the TCP header
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.req_urp</strong> = true: clear the urgent flag if the urgent pointer is not set
</p>
</li>
<li>
<p>
multi <strong>normalizer.tcp.allow_names</strong>: don&#8217;t clear given option names { sack | echo | partial_order | conn_count | alt_checksum | md5 }
</p>
</li>
<li>
<p>
string <strong>normalizer.tcp.allow_codes</strong>: don&#8217;t clear given option codes
</p>
</li>
<li>
<p>
bool <strong>normalizer.ip6</strong> = false: clear reserved flag
</p>
</li>
<li>
<p>
bool <strong>normalizer.icmp4</strong> = false: clear reserved flag
</p>
</li>
<li>
<p>
bool <strong>normalizer.icmp6</strong> = false: clear reserved flag
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>normalizer.ip4 trim</strong>: eth packets trimmed to datagram size
</p>
</li>
<li>
<p>
<strong>normalizer.test ip4 trim</strong>: During inline mode, would have eth packets trimmed to datagram size
</p>
</li>
<li>
<p>
<strong>normalizer.ip4 tos</strong>: type of service normalizations
</p>
</li>
<li>
<p>
<strong>normalizer.test ip4 tos</strong>: During inline mode, would have type of service normalizations
</p>
</li>
<li>
<p>
<strong>normalizer.ip4 df</strong>: don&#8217;t frag bit normalizations
</p>
</li>
<li>
<p>
<strong>normalizer.test ip4 df</strong>: During inline mode, would have don&#8217;t frag bit normalizations
</p>
</li>
<li>
<p>
<strong>normalizer.ip4 rf</strong>: reserved flag bit clears
</p>
</li>
<li>
<p>
<strong>normalizer.test ip4 rf</strong>: During inline mode, would have reserved flag bit clears
</p>
</li>
<li>
<p>
<strong>normalizer.ip4 ttl</strong>: time-to-live normalizations
</p>
</li>
<li>
<p>
<strong>normalizer.test ip4 ttl</strong>: During inline mode, would have time-to-live normalizations
</p>
</li>
<li>
<p>
<strong>normalizer.ip4 opts</strong>: ip4 options cleared
</p>
</li>
<li>
<p>
<strong>normalizer.test ip4 opts</strong>: During inline mode, would have ip4 options cleared
</p>
</li>
<li>
<p>
<strong>normalizer.icmp4 echo</strong>: icmp4 ping normalizations
</p>
</li>
<li>
<p>
<strong>normalizer.test icmp4 echo</strong>: During inline mode, would have icmp4 ping normalizations
</p>
</li>
<li>
<p>
<strong>normalizer.ip6 hops</strong>: ip6 hop limit normalizations
</p>
</li>
<li>
<p>
<strong>normalizer.test ip6 hops</strong>: During inline mode, would have ip6 hop limit normalizations
</p>
</li>
<li>
<p>
<strong>normalizer.ip6 options</strong>: ip6 options cleared
</p>
</li>
<li>
<p>
<strong>normalizer.test ip6 options</strong>: During inline mode, would have ip6 options cleared
</p>
</li>
<li>
<p>
<strong>normalizer.icmp6 echo</strong>: icmp6 echo normalizations
</p>
</li>
<li>
<p>
<strong>normalizer.test icmp6 echo</strong>: During inline mode, would have icmp6 echo normalizations
</p>
</li>
<li>
<p>
<strong>normalizer.tcp syn options</strong>: SYN only options cleared from non-SYN packets
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp syn options</strong>: During inline mode, would have SYN only options cleared from non-SYN packets
</p>
</li>
<li>
<p>
<strong>normalizer.tcp options</strong>: packets with options cleared
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp options</strong>: During inline mode, would have packets with options cleared
</p>
</li>
<li>
<p>
<strong>normalizer.tcp paddding</strong>: packets with padding cleared
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp paddding</strong>: During inline mode, would have packets with padding cleared
</p>
</li>
<li>
<p>
<strong>normalizer.tcp reserved</strong>: packets with reserved bits cleared
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp reserved</strong>: During inline mode, would have packets with reserved bits cleared
</p>
</li>
<li>
<p>
<strong>normalizer.tcp nonce</strong>: packets with nonce bit cleared
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp nonce</strong>: During inline mode, would have packets with nonce bit cleared
</p>
</li>
<li>
<p>
<strong>normalizer.tcp urgent ptr</strong>: packets without data with urgent pointer cleared
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp urgent ptr</strong>: During inline mode, would have packets without data with urgent pointer cleared
</p>
</li>
<li>
<p>
<strong>normalizer.tcp ecn pkt</strong>: packets with ECN bits cleared
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp ecn pkt</strong>: During inline mode, would have packets with ECN bits cleared
</p>
</li>
<li>
<p>
<strong>normalizer.tcp ts ecr</strong>: timestamp cleared on non-ACKs
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp ts ecr</strong>: During inline mode, would have timestamp cleared on non-ACKs
</p>
</li>
<li>
<p>
<strong>normalizer.tcp req urg</strong>: cleared urgent pointer when urgent flag is not set
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp req urg</strong>: During inline mode, would have cleared urgent pointer when urgent flag is not set
</p>
</li>
<li>
<p>
<strong>normalizer.tcp req pay</strong>: cleared urgent pointer and urgent flag when there is no payload
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp req pay</strong>: During inline mode, would have cleared urgent pointer and urgent flag when there is no payload
</p>
</li>
<li>
<p>
<strong>normalizer.tcp req urp</strong>: cleared the urgent flag if the urgent pointer is not set
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp req urp</strong>: During inline mode, would have cleared the urgent flag if the urgent pointer is not set
</p>
</li>
<li>
<p>
<strong>normalizer.tcp trim syn</strong>: tcp segments trimmed on SYN
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp trim syn</strong>: During inline mode, would have tcp segments trimmed on SYN
</p>
</li>
<li>
<p>
<strong>normalizer.tcp trim rst</strong>: RST packets with data trimmed
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp trim rst</strong>: During inline mode, would have RST packets with data trimmed
</p>
</li>
<li>
<p>
<strong>normalizer.tcp trim win</strong>: data trimed to window
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp trim win</strong>: During inline mode, would have data trimed to window
</p>
</li>
<li>
<p>
<strong>normalizer.tcp trim mss</strong>: data trimmed to MSS
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp trim mss</strong>: During inline mode, would have data trimmed to MSS
</p>
</li>
<li>
<p>
<strong>normalizer.tcp ecn session</strong>: ECN bits cleared
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp ecn session</strong>: During inline mode, would have ECN bits cleared
</p>
</li>
<li>
<p>
<strong>normalizer.tcp ts nop</strong>: timestamp options cleared
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp ts nop</strong>: During inline mode, would have timestamp options cleared
</p>
</li>
<li>
<p>
<strong>normalizer.tcp ips data</strong>: normalized segments
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp ips data</strong>: During inline mode, would have normalized segments
</p>
</li>
<li>
<p>
<strong>normalizer.tcp block</strong>: blocked segments
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp block</strong>: During inline mode, would have blocked segments
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_perf_monitor">perf_monitor</h3>
<div class="paragraph"><p>What: performance monitoring and flow statistics collection</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>perf_monitor.packets</strong> = 10000: minim packets to report { 0: }
</p>
</li>
<li>
<p>
int <strong>perf_monitor.seconds</strong> = 60: report interval; 0 means report at exit only { 0: }
</p>
</li>
<li>
<p>
int <strong>perf_monitor.flow_ip_memcap</strong> = 52428800: maximum memory for flow tracking { 8200: }
</p>
</li>
<li>
<p>
int <strong>perf_monitor.max_file_size</strong> = 4294967295: files will be rolled over if they exceed this size { 4096: }
</p>
</li>
<li>
<p>
int <strong>perf_monitor.flow_ports</strong> = 1023: maximum ports to track { 0: }
</p>
</li>
<li>
<p>
bool <strong>perf_monitor.reset</strong> = true: reset (clear) statistics after each reporting interval
</p>
</li>
<li>
<p>
bool <strong>perf_monitor.max</strong> = false: calculate theoretical maximum performance
</p>
</li>
<li>
<p>
bool <strong>perf_monitor.console</strong> = false: output to console
</p>
</li>
<li>
<p>
bool <strong>perf_monitor.events</strong> = false: report on qualified vs non-qualified events
</p>
</li>
<li>
<p>
bool <strong>perf_monitor.file</strong> = false: output base stats to perf_monitor.csv instead of stdout
</p>
</li>
<li>
<p>
bool <strong>perf_monitor.flow</strong> = false: enable traffic statistics
</p>
</li>
<li>
<p>
bool <strong>perf_monitor.flow_file</strong> = false: output traffic statistics to a perf_monitor_flow.csv instead of stdout
</p>
</li>
<li>
<p>
bool <strong>perf_monitor.flow_ip</strong> = false: enable statistics on host pairs
</p>
</li>
<li>
<p>
bool <strong>perf_monitor.flow_ip_file</strong> = false: output host pair statistics to perf_monitor_flow_ip.csv instead of stdout
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>perf_monitor.packets</strong>: total packets
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_pop">pop</h3>
<div class="paragraph"><p>What: pop inspection</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>pop.b64_decode_depth</strong> = 1460:  base64 decoding depth { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>pop.bitenc_decode_depth</strong> = 1460:  Non-Encoded MIME attachment extraction depth { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>pop.qp_decode_depth</strong> = 1460:  Quoted Printable decoding depth { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>pop.uu_decode_depth</strong> = 1460:  Unix-to-Unix decoding depth { -1:65535 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>142:1</strong> (pop) Unknown POP3 command
</p>
</li>
<li>
<p>
<strong>142:2</strong> (pop) Unknown POP3 response
</p>
</li>
<li>
<p>
<strong>142:4</strong> (pop) Base64 Decoding failed.
</p>
</li>
<li>
<p>
<strong>142:5</strong> (pop) Quoted-Printable Decoding failed.
</p>
</li>
<li>
<p>
<strong>142:7</strong> (pop) Unix-to-Unix Decoding failed.
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>pop.packets</strong>: total packets
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_port_scan">port_scan</h3>
<div class="paragraph"><p>What: port scan inspector; also configure port_scan_global</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
multi <strong>port_scan.protos</strong> = all: choose the protocols to monitor { tcp | udp | icmp | ip | all }
</p>
</li>
<li>
<p>
multi <strong>port_scan.scan_types</strong> = all: choose type of scans to look for { portscan | portsweep | decoy_portscan | distributed_portscan | all }
</p>
</li>
<li>
<p>
enum <strong>port_scan.sense_level</strong> = medium: choose the level of detection { low | medium | high }
</p>
</li>
<li>
<p>
string <strong>port_scan.watch_ip</strong>: list of CIDRs with optional ports to watch
</p>
</li>
<li>
<p>
string <strong>port_scan.ignore_scanners</strong>: list of CIDRs with optional ports to ignore if the source of scan alerts
</p>
</li>
<li>
<p>
string <strong>port_scan.ignore_scanned</strong>: list of CIDRs with optional ports to ignore if the destination of scan alerts
</p>
</li>
<li>
<p>
bool <strong>port_scan.include_midstream</strong> = false: list of CIDRs with optional ports
</p>
</li>
<li>
<p>
bool <strong>port_scan.logfile</strong> = false: write scan events to file
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>122:1</strong> (port_scan) TCP portscan
</p>
</li>
<li>
<p>
<strong>122:2</strong> (port_scan) TCP decoy portscan
</p>
</li>
<li>
<p>
<strong>122:3</strong> (port_scan) TCP portsweep
</p>
</li>
<li>
<p>
<strong>122:4</strong> (port_scan) TCP distributed portscan
</p>
</li>
<li>
<p>
<strong>122:5</strong> (port_scan) TCP filtered portscan
</p>
</li>
<li>
<p>
<strong>122:6</strong> (port_scan) TCP filtered decoy portscan
</p>
</li>
<li>
<p>
<strong>122:7</strong> (port_scan) TCP filtered portsweep
</p>
</li>
<li>
<p>
<strong>122:8</strong> (port_scan) TCP filtered distributed portscan
</p>
</li>
<li>
<p>
<strong>122:9</strong> (port_scan) IP protocol scan
</p>
</li>
<li>
<p>
<strong>122:10</strong> (port_scan) IP decoy protocol scan
</p>
</li>
<li>
<p>
<strong>122:11</strong> (port_scan) IP protocol sweep
</p>
</li>
<li>
<p>
<strong>122:12</strong> (port_scan) IP distributed protocol scan
</p>
</li>
<li>
<p>
<strong>122:13</strong> (port_scan) IP filtered protocol scan
</p>
</li>
<li>
<p>
<strong>122:14</strong> (port_scan) IP filtered decoy protocol scan
</p>
</li>
<li>
<p>
<strong>122:15</strong> (port_scan) IP filtered protocol sweep
</p>
</li>
<li>
<p>
<strong>122:16</strong> (port_scan) IP filtered distributed protocol scan
</p>
</li>
<li>
<p>
<strong>122:17</strong> (port_scan) UDP portscan
</p>
</li>
<li>
<p>
<strong>122:18</strong> (port_scan) UDP decoy portscan
</p>
</li>
<li>
<p>
<strong>122:19</strong> (port_scan) UDP portsweep
</p>
</li>
<li>
<p>
<strong>122:20</strong> (port_scan) UDP distributed portscan
</p>
</li>
<li>
<p>
<strong>122:21</strong> (port_scan) UDP filtered portscan
</p>
</li>
<li>
<p>
<strong>122:22</strong> (port_scan) UDP filtered decoy portscan
</p>
</li>
<li>
<p>
<strong>122:23</strong> (port_scan) UDP filtered portsweep
</p>
</li>
<li>
<p>
<strong>122:24</strong> (port_scan) UDP filtered distributed portscan
</p>
</li>
<li>
<p>
<strong>122:25</strong> (port_scan) ICMP sweep
</p>
</li>
<li>
<p>
<strong>122:26</strong> (port_scan) ICMP filtered sweep
</p>
</li>
<li>
<p>
<strong>122:27</strong> (port_scan) open port
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_port_scan_global">port_scan_global</h3>
<div class="paragraph"><p>What: shared settings for port_scan inspectors for use with port_scan</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>port_scan_global.memcap</strong> = 1048576: maximum tracker memory { 1: }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>port_scan_global.packets</strong>: total packets
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_rpc_decode">rpc_decode</h3>
<div class="paragraph"><p>What: RPC inspector</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>106:1</strong> (rpc_decode) fragmented RPC records
</p>
</li>
<li>
<p>
<strong>106:2</strong> (rpc_decode) multiple RPC records
</p>
</li>
<li>
<p>
<strong>106:3</strong> (rpc_decode) large RPC record fragment
</p>
</li>
<li>
<p>
<strong>106:4</strong> (rpc_decode) incomplete RPC segment
</p>
</li>
<li>
<p>
<strong>106:5</strong> (rpc_decode) zero-length RPC fragment
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>rpc_decode.packets</strong>: total packets
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_sip">sip</h3>
<div class="paragraph"><p>What: sip inspection</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>sip.ignore_call_channel</strong> = false: enables the support for ignoring audio/video data channel
</p>
</li>
<li>
<p>
int <strong>sip.max_call_id_len</strong> = 256: maximum call id field size { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>sip.max_contact_len</strong> = 256: maximum contact field size { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>sip.max_content_len</strong> = 1024: maximum content length of the message body { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>sip.max_dialogs</strong> = 4: maximum number of dialogs within one stream session { 1:4194303 }
</p>
</li>
<li>
<p>
int <strong>sip.max_from_len</strong> = 256: maximum from field size { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>sip.max_requestName_len</strong> = 20: maximum request name field size { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>sip.max_sessions</strong> = 10000: maximum number of sessions that can be allocated { 1024:4194303 }
</p>
</li>
<li>
<p>
int <strong>sip.max_to_len</strong> = 256: maximum to field size { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>sip.max_uri_len</strong> = 256: maximum request uri field size { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>sip.max_via_len</strong> = 1024: maximum via field size { 0:65535 }
</p>
</li>
<li>
<p>
string <strong>sip.methods</strong> = invite cancel ack  bye register options: list of methods to check in sip messages
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>140:1</strong> (sip) Maximum sessions reached
</p>
</li>
<li>
<p>
<strong>140:2</strong> (sip) Empty request URI
</p>
</li>
<li>
<p>
<strong>140:3</strong> (sip) URI is too long
</p>
</li>
<li>
<p>
<strong>140:4</strong> (sip) Empty call-Id
</p>
</li>
<li>
<p>
<strong>140:5</strong> (sip) Call-Id is too long
</p>
</li>
<li>
<p>
<strong>140:6</strong> (sip) CSeq number is too large or negative
</p>
</li>
<li>
<p>
<strong>140:7</strong> (sip) Request name in CSeq is too long
</p>
</li>
<li>
<p>
<strong>140:8</strong> (sip) Empty From header
</p>
</li>
<li>
<p>
<strong>140:9</strong> (sip) From header is too long
</p>
</li>
<li>
<p>
<strong>140:10</strong> (sip) Empty To header
</p>
</li>
<li>
<p>
<strong>140:11</strong> (sip) To header is too long
</p>
</li>
<li>
<p>
<strong>140:12</strong> (sip) Empty Via header
</p>
</li>
<li>
<p>
<strong>140:13</strong> (sip) Via header is too long
</p>
</li>
<li>
<p>
<strong>140:14</strong> (sip) Empty Contact
</p>
</li>
<li>
<p>
<strong>140:15</strong> (sip) Contact is too long
</p>
</li>
<li>
<p>
<strong>140:16</strong> (sip) Content length is too large or negative
</p>
</li>
<li>
<p>
<strong>140:17</strong> (sip) Multiple SIP messages in a packet
</p>
</li>
<li>
<p>
<strong>140:18</strong> (sip) Content length mismatch
</p>
</li>
<li>
<p>
<strong>140:19</strong> (sip) Request name is invalid
</p>
</li>
<li>
<p>
<strong>140:20</strong> (sip) Invite replay attack
</p>
</li>
<li>
<p>
<strong>140:21</strong> (sip) Illegal session information modification
</p>
</li>
<li>
<p>
<strong>140:22</strong> (sip) Response status code is not a 3 digit number
</p>
</li>
<li>
<p>
<strong>140:23</strong> (sip) Empty Content-type header
</p>
</li>
<li>
<p>
<strong>140:24</strong> (sip) SIP version is invalid
</p>
</li>
<li>
<p>
<strong>140:25</strong> (sip) Mismatch in METHOD of request and the CSEQ header
</p>
</li>
<li>
<p>
<strong>140:26</strong> (sip) Method is unknown
</p>
</li>
<li>
<p>
<strong>140:27</strong> (sip) Maximum dialogs within a session reached
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>sip.sessions</strong>: total sessions
</p>
</li>
<li>
<p>
<strong>sip.events</strong>: events generated
</p>
</li>
<li>
<p>
<strong>sip.dialogs</strong>: total dialogs
</p>
</li>
<li>
<p>
<strong>sip.ignored channels</strong>: total channels ignored
</p>
</li>
<li>
<p>
<strong>sip.ignored sessions</strong>: total sessions ignored
</p>
</li>
<li>
<p>
<strong>sip.requests</strong>: total requests
</p>
</li>
<li>
<p>
<strong>sip.responses</strong>: total responses
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_smtp">smtp</h3>
<div class="paragraph"><p>What: smtp inspection</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>smtp.alt_max_command_line_len[].command</strong>: command string
</p>
</li>
<li>
<p>
int <strong>smtp.alt_max_command_line_len[].length</strong> = 0: specify non-default maximum for command { 0: }
</p>
</li>
<li>
<p>
string <strong>smtp.auth_cmds</strong>: commands that initiate an authentication exchange
</p>
</li>
<li>
<p>
string <strong>smtp.binary_data_cmds</strong>: commands that initiate sending of data and use a length value after the command
</p>
</li>
<li>
<p>
int <strong>smtp.bitenc_decode_depth</strong> = 25: depth used to extract the non-encoded MIME attachments { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>smtp.b64_decode_depth</strong> = 25: depth used to decode the base64 encoded MIME attachments { -1:65535 }
</p>
</li>
<li>
<p>
string <strong>smtp.data_cmds</strong>: commands that initiate sending of data with an end of data delimiter
</p>
</li>
<li>
<p>
int <strong>smtp.email_hdrs_log_depth</strong> = 1464: depth for logging email headers { 0:20480 }
</p>
</li>
<li>
<p>
bool <strong>smtp.ignore_data</strong> = false: ignore data section of mail
</p>
</li>
<li>
<p>
bool <strong>smtp.ignore_tls_data</strong> = false: ignore TLS-encrypted data when processing rules
</p>
</li>
<li>
<p>
string <strong>smtp.invalid_cmds</strong>: alert if this command is sent from client side
</p>
</li>
<li>
<p>
bool <strong>smtp.log_email_hdrs</strong> = false: log the SMTP email headers extracted from SMTP data
</p>
</li>
<li>
<p>
bool <strong>smtp.log_filename</strong> = false: log the MIME attachment filenames extracted from the Content-Disposition header within the MIME body
</p>
</li>
<li>
<p>
bool <strong>smtp.log_mailfrom</strong> = false: log the sender&#8217;s email address extracted from the MAIL FROM command
</p>
</li>
<li>
<p>
bool <strong>smtp.log_rcptto</strong> = false: log the recipient&#8217;s email address extracted from the RCPT TO command
</p>
</li>
<li>
<p>
int <strong>smtp.max_command_line_len</strong> = 0: max Command Line Length { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>smtp.max_header_line_len</strong> = 0: max SMTP DATA header line { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>smtp.max_response_line_len</strong> = 0: max SMTP response line { 0:65535 }
</p>
</li>
<li>
<p>
enum <strong>smtp.normalize</strong> = none: turns on/off normalization { none | cmds | all }
</p>
</li>
<li>
<p>
string <strong>smtp.normalize_cmds</strong>: list of commands to normalize
</p>
</li>
<li>
<p>
int <strong>smtp.qp_decode_depth</strong> = 25: quoted-Printable decoding depth { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>smtp.uu_decode_depth</strong> = 25: unix-to-Unix decoding depth { -1:65535 }
</p>
</li>
<li>
<p>
string <strong>smtp.valid_cmds</strong>: list of valid commands
</p>
</li>
<li>
<p>
enum <strong>smtp.xlink2state</strong> = alert: enable/disable xlink2state alert { disable | alert | drop }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>124:1</strong> (smtp) Attempted command buffer overflow
</p>
</li>
<li>
<p>
<strong>124:2</strong> (smtp) Attempted data header buffer overflow
</p>
</li>
<li>
<p>
<strong>124:3</strong> (smtp) Attempted response buffer overflow
</p>
</li>
<li>
<p>
<strong>124:4</strong> (smtp) Attempted specific command buffer overflow
</p>
</li>
<li>
<p>
<strong>124:5</strong> (smtp) Unknown command
</p>
</li>
<li>
<p>
<strong>124:6</strong> (smtp) Illegal command
</p>
</li>
<li>
<p>
<strong>124:7</strong> (smtp) Attempted header name buffer overflow
</p>
</li>
<li>
<p>
<strong>124:8</strong> (smtp) Attempted X-Link2State command buffer overflow
</p>
</li>
<li>
<p>
<strong>124:10</strong> (smtp) Base64 Decoding failed.
</p>
</li>
<li>
<p>
<strong>124:11</strong> (smtp) Quoted-Printable Decoding failed.
</p>
</li>
<li>
<p>
<strong>124:13</strong> (smtp) Unix-to-Unix Decoding failed.
</p>
</li>
<li>
<p>
<strong>124:14</strong> (smtp) Cyrus SASL authentication attack.
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>smtp.packets</strong>: total packets
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ssh">ssh</h3>
<div class="paragraph"><p>What: ssh inspection</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>ssh.max_encrypted_packets</strong> = 25: ignore session after this many encrypted packets { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>ssh.max_client_bytes</strong> = 19600: number of unanswered bytes before alerting on challenge-response overflow or CRC32 { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>ssh.max_server_version_len</strong> = 80: limit before alerting on secure CRT server version string overflow { 0:255 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>128:1</strong> (ssh) Challenge-Response Overflow exploit
</p>
</li>
<li>
<p>
<strong>128:2</strong> (ssh) SSH1 CRC32 exploit
</p>
</li>
<li>
<p>
<strong>128:3</strong> (ssh) Server version string overflow
</p>
</li>
<li>
<p>
<strong>128:5</strong> (ssh) Bad message direction
</p>
</li>
<li>
<p>
<strong>128:6</strong> (ssh) Payload size incorrect for the given payload
</p>
</li>
<li>
<p>
<strong>128:7</strong> (ssh) Failed to detect SSH version string
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>ssh.packets</strong>: total packets
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ssl">ssl</h3>
<div class="paragraph"><p>What: ssl inspection</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>ssl.trust_servers</strong> = false: disables requirement that application (encrypted) data must be observed on both sides
</p>
</li>
<li>
<p>
int <strong>ssl.max_heartbeat_length</strong> = 0: maximum length of heartbeat record allowed { 0:65535 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>137:1</strong> (ssl) Invalid Client HELLO after Server HELLO Detected
</p>
</li>
<li>
<p>
<strong>137:2</strong> (ssl) Invalid Server HELLO without Client HELLO Detected
</p>
</li>
<li>
<p>
<strong>137:3</strong> (ssl) Heartbeat Read Overrun Attempt Detected
</p>
</li>
<li>
<p>
<strong>137:4</strong> (ssl) Large Heartbeat Response Detected
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>ssl.packets</strong>: total packets processed
</p>
</li>
<li>
<p>
<strong>ssl.decoded</strong>: ssl packets decoded
</p>
</li>
<li>
<p>
<strong>ssl.client hello</strong>: total client hellos
</p>
</li>
<li>
<p>
<strong>ssl.server hello</strong>: total server hellos
</p>
</li>
<li>
<p>
<strong>ssl.certificate</strong>: total ssl certificates
</p>
</li>
<li>
<p>
<strong>ssl.server done</strong>: total server done
</p>
</li>
<li>
<p>
<strong>ssl.client key exchange</strong>: total client key exchanges
</p>
</li>
<li>
<p>
<strong>ssl.server key exchange</strong>: total server key exchanges
</p>
</li>
<li>
<p>
<strong>ssl.change cipher</strong>: total change cipher records
</p>
</li>
<li>
<p>
<strong>ssl.finished</strong>: total handshakes finished
</p>
</li>
<li>
<p>
<strong>ssl.client application</strong>: total client application records
</p>
</li>
<li>
<p>
<strong>ssl.server application</strong>: total server application records
</p>
</li>
<li>
<p>
<strong>ssl.alert</strong>: total ssl alert records
</p>
</li>
<li>
<p>
<strong>ssl.unrecognized records</strong>: total unrecognized records
</p>
</li>
<li>
<p>
<strong>ssl.handshakes completed</strong>: total completed ssl handshakes
</p>
</li>
<li>
<p>
<strong>ssl.bad handshakes</strong>: total bad handshakes
</p>
</li>
<li>
<p>
<strong>ssl.sessions ignored</strong>: total sessions ignore
</p>
</li>
<li>
<p>
<strong>ssl.detection disabled</strong>: total detection disabled
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_stream">stream</h3>
<div class="paragraph"><p>What: common flow tracking</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>stream.ip_cache.max_sessions</strong> = 16384: maximum simultaneous sessions tracked before pruning { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.ip_cache.memcap</strong> = 23920640: maximum cache memory before pruning (0 is unlimited) { 0: }
</p>
</li>
<li>
<p>
int <strong>stream.ip_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.ip_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.icmp_cache.max_sessions</strong> = 32768: maximum simultaneous sessions tracked before pruning { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.icmp_cache.memcap</strong> = 1048576: maximum cache memory before pruning (0 is unlimited) { 0: }
</p>
</li>
<li>
<p>
int <strong>stream.icmp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.icmp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.tcp_cache.max_sessions</strong> = 131072: maximum simultaneous sessions tracked before pruning { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.tcp_cache.memcap</strong> = 268435456: maximum cache memory before pruning (0 is unlimited) { 0: }
</p>
</li>
<li>
<p>
int <strong>stream.tcp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.tcp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.udp_cache.max_sessions</strong> = 65536: maximum simultaneous sessions tracked before pruning { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.udp_cache.memcap</strong> = 0: maximum cache memory before pruning (0 is unlimited) { 0: }
</p>
</li>
<li>
<p>
int <strong>stream.udp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.udp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.user_cache.max_sessions</strong> = 1024: maximum simultaneous sessions tracked before pruning { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.user_cache.memcap</strong> = 1048576: maximum cache memory before pruning (0 is unlimited) { 0: }
</p>
</li>
<li>
<p>
int <strong>stream.user_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.user_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.file_cache.max_sessions</strong> =  128: maximum simultaneous sessions tracked before pruning { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.file_cache.memcap</strong> = 0: maximum cache memory before pruning (0 is unlimited) { 0: }
</p>
</li>
<li>
<p>
int <strong>stream.file_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.file_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>stream.ip flows</strong>: total ip sessions
</p>
</li>
<li>
<p>
<strong>stream.ip prunes</strong>: ip sessions pruned
</p>
</li>
<li>
<p>
<strong>stream.icmp flows</strong>: total icmp sessions
</p>
</li>
<li>
<p>
<strong>stream.icmp prunes</strong>: icmp sessions pruned
</p>
</li>
<li>
<p>
<strong>stream.tcp flows</strong>: total tcp sessions
</p>
</li>
<li>
<p>
<strong>stream.tcp prunes</strong>: tcp sessions pruned
</p>
</li>
<li>
<p>
<strong>stream.udp flows</strong>: total udp sessions
</p>
</li>
<li>
<p>
<strong>stream.udp prunes</strong>: udp sessions pruned
</p>
</li>
<li>
<p>
<strong>stream.user flows</strong>: total user sessions
</p>
</li>
<li>
<p>
<strong>stream.user prunes</strong>: user sessions pruned
</p>
</li>
<li>
<p>
<strong>stream.file flows</strong>: total file sessions
</p>
</li>
<li>
<p>
<strong>stream.file prunes</strong>: file sessions pruned
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_stream_file">stream_file</h3>
<div class="paragraph"><p>What: stream inspector for file flow tracking and processing</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>stream_file.upload</strong> = false: indicate file transfer direction
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_stream_icmp">stream_icmp</h3>
<div class="paragraph"><p>What: stream inspector for ICMP flow tracking</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>stream_icmp.session_timeout</strong> = 30: session tracking timeout { 1:86400 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>stream_icmp.created</strong>: icmp session trackers created
</p>
</li>
<li>
<p>
<strong>stream_icmp.released</strong>: icmp session trackers released
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_stream_ip">stream_ip</h3>
<div class="paragraph"><p>What: stream inspector for IP flow tracking and defragmentation</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>stream_ip.max_frags</strong> = 8192: maximum number of simultaneous fragments being tracked { 1: }
</p>
</li>
<li>
<p>
int <strong>stream_ip.max_overlaps</strong> = 0: maximum allowed overlaps per datagram; 0 is unlimited { 0: }
</p>
</li>
<li>
<p>
int <strong>stream_ip.min_frag_length</strong> = 0: alert if fragment length is below this limit before or after trimming { 0: }
</p>
</li>
<li>
<p>
int <strong>stream_ip.min_ttl</strong> = 1: discard fragments with ttl below the minimum { 1:255 }
</p>
</li>
<li>
<p>
enum <strong>stream_ip.policy</strong> = linux: fragment reassembly policy { first | linux | bsd | bsd_right | last | windows | solaris }
</p>
</li>
<li>
<p>
int <strong>stream_ip.session_timeout</strong> = 30: session tracking timeout { 1:86400 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>123:1</strong> (stream_ip) inconsistent IP options on fragmented packets
</p>
</li>
<li>
<p>
<strong>123:2</strong> (stream_ip) teardrop attack
</p>
</li>
<li>
<p>
<strong>123:3</strong> (stream_ip) short fragment, possible DOS attempt
</p>
</li>
<li>
<p>
<strong>123:4</strong> (stream_ip) fragment packet ends after defragmented packet
</p>
</li>
<li>
<p>
<strong>123:5</strong> (stream_ip) zero-byte fragment packet
</p>
</li>
<li>
<p>
<strong>123:6</strong> (stream_ip) bad fragment size, packet size is negative
</p>
</li>
<li>
<p>
<strong>123:7</strong> (stream_ip) bad fragment size, packet size is greater than 65536
</p>
</li>
<li>
<p>
<strong>123:8</strong> (stream_ip) fragmentation overlap
</p>
</li>
<li>
<p>
<strong>123:11</strong> (stream_ip) TTL value less than configured minimum, not using for reassembly
</p>
</li>
<li>
<p>
<strong>123:12</strong> (stream_ip) excessive fragment overlap
</p>
</li>
<li>
<p>
<strong>123:13</strong> (stream_ip) tiny fragment
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>stream_ip.fragments</strong>: total fragments
</p>
</li>
<li>
<p>
<strong>stream_ip.reassembled</strong>: reassembled datagrams
</p>
</li>
<li>
<p>
<strong>stream_ip.discards</strong>: fragments discarded
</p>
</li>
<li>
<p>
<strong>stream_ip.memory faults</strong>: memory faults
</p>
</li>
<li>
<p>
<strong>stream_ip.frag timeouts</strong>: datagrams abandoned
</p>
</li>
<li>
<p>
<strong>stream_ip.overlaps</strong>: overlapping fragments
</p>
</li>
<li>
<p>
<strong>stream_ip.anomalies</strong>: anomalies detected
</p>
</li>
<li>
<p>
<strong>stream_ip.alerts</strong>: alerts generated
</p>
</li>
<li>
<p>
<strong>stream_ip.drops</strong>: fragments dropped
</p>
</li>
<li>
<p>
<strong>stream_ip.trackers added</strong>: datagram trackers created
</p>
</li>
<li>
<p>
<strong>stream_ip.trackers freed</strong>: datagram trackers released
</p>
</li>
<li>
<p>
<strong>stream_ip.nodes inserted</strong>: fragments added to tracker
</p>
</li>
<li>
<p>
<strong>stream_ip.nodes deleted</strong>: fragments deleted from tracker
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_stream_tcp">stream_tcp</h3>
<div class="paragraph"><p>What: stream inspector for TCP flow tracking and stream normalization and reassembly</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>stream_tcp.flush_factor</strong> = 0: flush upon seeing a drop in segment size after given number of non-decreasing segments { 0: }
</p>
</li>
<li>
<p>
bool <strong>stream_tcp.ignore_any_rules</strong> = false: process tcp content rules w/o ports only if rules with ports are present
</p>
</li>
<li>
<p>
int <strong>stream_tcp.max_window</strong> = 0: maximum allowed tcp window { 0:1073725440 }
</p>
</li>
<li>
<p>
int <strong>stream_tcp.overlap_limit</strong> = 0: maximum number of allowed overlapping segments per session { 0:255 }
</p>
</li>
<li>
<p>
int <strong>stream_tcp.max_pdu</strong> = 16384: maximum reassembled PDU size { 1460:65535 }
</p>
</li>
<li>
<p>
enum <strong>stream_tcp.policy</strong> = bsd: determines operating system characteristics like reassembly { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }
</p>
</li>
<li>
<p>
bool <strong>stream_tcp.reassemble_async</strong> = true: queue data for reassembly before traffic is seen in both directions
</p>
</li>
<li>
<p>
int <strong>stream_tcp.require_3whs</strong> = -1: don&#8217;t track midstream sessions after given seconds from start up; -1 tracks all { -1:86400 }
</p>
</li>
<li>
<p>
bool <strong>stream_tcp.show_rebuilt_packets</strong> = false: enable cmg like output of reassembled packets
</p>
</li>
<li>
<p>
int <strong>stream_tcp.queue_limit.max_bytes</strong> = 1048576: don&#8217;t queue more than given bytes per session and direction { 0: }
</p>
</li>
<li>
<p>
int <strong>stream_tcp.queue_limit.max_segments</strong> = 2621: don&#8217;t queue more than given segments per session and direction { 0: }
</p>
</li>
<li>
<p>
int <strong>stream_tcp.small_segments.count</strong> = 0: limit number of small segments queued { 0:2048 }
</p>
</li>
<li>
<p>
int <strong>stream_tcp.small_segments.maximum_size</strong> = 0: limit number of small segments queued { 0:2048 }
</p>
</li>
<li>
<p>
int <strong>stream_tcp.session_timeout</strong> = 30: session tracking timeout { 1:86400 }
</p>
</li>
<li>
<p>
int <strong>stream_tcp.footprint</strong> = 0: use zero for production, non-zero for testing at given size { 0: }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>129:1</strong> (stream_tcp) SYN on established session
</p>
</li>
<li>
<p>
<strong>129:2</strong> (stream_tcp) data on SYN packet
</p>
</li>
<li>
<p>
<strong>129:3</strong> (stream_tcp) data sent on stream not accepting data
</p>
</li>
<li>
<p>
<strong>129:4</strong> (stream_tcp) TCP timestamp is outside of PAWS window
</p>
</li>
<li>
<p>
<strong>129:5</strong> (stream_tcp) bad segment, adjusted size &#8656; 0
</p>
</li>
<li>
<p>
<strong>129:6</strong> (stream_tcp) window size (after scaling) larger than policy allows
</p>
</li>
<li>
<p>
<strong>129:7</strong> (stream_tcp) limit on number of overlapping TCP packets reached
</p>
</li>
<li>
<p>
<strong>129:8</strong> (stream_tcp) data sent on stream after TCP Reset sent
</p>
</li>
<li>
<p>
<strong>129:9</strong> (stream_tcp) TCP client possibly hijacked, different ethernet address
</p>
</li>
<li>
<p>
<strong>129:10</strong> (stream_tcp) TCP Server possibly hijacked, different ethernet address
</p>
</li>
<li>
<p>
<strong>129:11</strong> (stream_tcp) TCP data with no TCP flags set
</p>
</li>
<li>
<p>
<strong>129:12</strong> (stream_tcp) consecutive TCP small segments exceeding threshold
</p>
</li>
<li>
<p>
<strong>129:13</strong> (stream_tcp) 4-way handshake detected
</p>
</li>
<li>
<p>
<strong>129:14</strong> (stream_tcp) TCP timestamp is missing
</p>
</li>
<li>
<p>
<strong>129:15</strong> (stream_tcp) reset outside window
</p>
</li>
<li>
<p>
<strong>129:16</strong> (stream_tcp) FIN number is greater than prior FIN
</p>
</li>
<li>
<p>
<strong>129:17</strong> (stream_tcp) ACK number is greater than prior FIN
</p>
</li>
<li>
<p>
<strong>129:18</strong> (stream_tcp) data sent on stream after TCP Reset received
</p>
</li>
<li>
<p>
<strong>129:19</strong> (stream_tcp) TCP window closed before receiving data
</p>
</li>
<li>
<p>
<strong>129:20</strong> (stream_tcp) TCP session without 3-way handshake
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>stream_tcp.sessions</strong>: total sessions
</p>
</li>
<li>
<p>
<strong>stream_tcp.timeouts</strong>: sessions timed out
</p>
</li>
<li>
<p>
<strong>stream_tcp.resyns</strong>: SYN received on established session
</p>
</li>
<li>
<p>
<strong>stream_tcp.discards</strong>: tcp packets discarded
</p>
</li>
<li>
<p>
<strong>stream_tcp.events</strong>: events generated
</p>
</li>
<li>
<p>
<strong>stream_tcp.ignored</strong>: tcp packets ignored
</p>
</li>
<li>
<p>
<strong>stream_tcp.untracked</strong>: tcp packets not tracked
</p>
</li>
<li>
<p>
<strong>stream_tcp.syn trackers</strong>: tcp session tracking started on syn
</p>
</li>
<li>
<p>
<strong>stream_tcp.syn-ack trackers</strong>: tcp session tracking started on syn-ack
</p>
</li>
<li>
<p>
<strong>stream_tcp.3way trackers</strong>: tcp session tracking started on ack
</p>
</li>
<li>
<p>
<strong>stream_tcp.data trackers</strong>: tcp session tracking started on data
</p>
</li>
<li>
<p>
<strong>stream_tcp.trackers created</strong>: tcp session trackers created
</p>
</li>
<li>
<p>
<strong>stream_tcp.trackers released</strong>: tcp session trackers released
</p>
</li>
<li>
<p>
<strong>stream_tcp.segs queued</strong>: total segments queued
</p>
</li>
<li>
<p>
<strong>stream_tcp.segs released</strong>: total segments released
</p>
</li>
<li>
<p>
<strong>stream_tcp.segs split</strong>: tcp segments split when reassembling PDUs
</p>
</li>
<li>
<p>
<strong>stream_tcp.segs used</strong>: queued tcp segments applied to reassembled PDUs
</p>
</li>
<li>
<p>
<strong>stream_tcp.rebuilt packets</strong>: total reassembled PDUs
</p>
</li>
<li>
<p>
<strong>stream_tcp.rebuilt buffers</strong>: rebuilt PDU sections
</p>
</li>
<li>
<p>
<strong>stream_tcp.overlaps</strong>: overlapping segments queued
</p>
</li>
<li>
<p>
<strong>stream_tcp.gaps</strong>: missing data between PDUs
</p>
</li>
<li>
<p>
<strong>stream_tcp.max segs</strong>: number of times the maximum queued segment limit was reached
</p>
</li>
<li>
<p>
<strong>stream_tcp.max bytes</strong>: number of times the maximum queued byte limit was reached
</p>
</li>
<li>
<p>
<strong>stream_tcp.internal events</strong>: 135:X events generated
</p>
</li>
<li>
<p>
<strong>stream_tcp.client cleanups</strong>: number of times data from server was flushed when session released
</p>
</li>
<li>
<p>
<strong>stream_tcp.server cleanups</strong>: number of times data from client was flushed when session released
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_stream_udp">stream_udp</h3>
<div class="paragraph"><p>What: stream inspector for UDP flow tracking</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>stream_udp.session_timeout</strong> = 30: session tracking timeout { 1:86400 }
</p>
</li>
<li>
<p>
bool <strong>stream_udp.ignore_any_rules</strong> = false: process udp content rules w/o ports only if rules with ports are present
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>stream_udp.sessions</strong>: total udp sessions
</p>
</li>
<li>
<p>
<strong>stream_udp.created</strong>: udp session trackers created
</p>
</li>
<li>
<p>
<strong>stream_udp.released</strong>: udp session trackers released
</p>
</li>
<li>
<p>
<strong>stream_udp.timeouts</strong>: udp session timeouts
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_stream_user">stream_user</h3>
<div class="paragraph"><p>What: stream inspector for user flow tracking and reassembly</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>stream_user.session_timeout</strong> = 30: session tracking timeout { 1:86400 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_telnet">telnet</h3>
<div class="paragraph"><p>What: telnet inspection and normalization</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>telnet.ayt_attack_thresh</strong> = -1: alert on this number of consecutive telnet AYT commands { -1: }
</p>
</li>
<li>
<p>
bool <strong>telnet.check_encrypted</strong> = false: check for end of encryption
</p>
</li>
<li>
<p>
bool <strong>telnet.encrypted_traffic</strong> = false: check for encrypted telnet and ftp
</p>
</li>
<li>
<p>
bool <strong>telnet.normalize</strong> = false: eliminate escape sequences
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>126:1</strong> (telnet) consecutive telnet AYT commands beyond threshold
</p>
</li>
<li>
<p>
<strong>126:2</strong> (telnet) telnet traffic encrypted
</p>
</li>
<li>
<p>
<strong>126:3</strong> (telnet) telnet subnegotiation begin command without subnegotiation end
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>telnet.packets</strong>: total packets
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_wizard">wizard</h3>
<div class="paragraph"><p>What: inspector that implements port-independent protocol identification</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>wizard.hexes[].service</strong>: name of service
</p>
</li>
<li>
<p>
select <strong>wizard.hexes[].proto</strong> = tcp: protocol to scan { tcp | udp }
</p>
</li>
<li>
<p>
bool <strong>wizard.hexes[].client_first</strong> = true: which end initiates data transfer
</p>
</li>
<li>
<p>
string <strong>wizard.hexes[].to_server[].hex</strong>: sequence of data with wild chars (?)
</p>
</li>
<li>
<p>
string <strong>wizard.hexes[].to_client[].hex</strong>: sequence of data with wild chars (?)
</p>
</li>
<li>
<p>
string <strong>wizard.spells[].service</strong>: name of service
</p>
</li>
<li>
<p>
select <strong>wizard.spells[].proto</strong> = tcp: protocol to scan { tcp | udp }
</p>
</li>
<li>
<p>
bool <strong>wizard.spells[].client_first</strong> = true: which end initiates data transfer
</p>
</li>
<li>
<p>
string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with wild cards (*)
</p>
</li>
<li>
<p>
string <strong>wizard.spells[].to_client[].spell</strong>: sequence of data with wild cards (*)
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>wizard.tcp scans</strong>: tcp payload scans
</p>
</li>
<li>
<p>
<strong>wizard.tcp hits</strong>: tcp identifications
</p>
</li>
<li>
<p>
<strong>wizard.udp scans</strong>: udp payload scans
</p>
</li>
<li>
<p>
<strong>wizard.udp hits</strong>: udp identifications
</p>
</li>
<li>
<p>
<strong>wizard.user scans</strong>: user payload scans
</p>
</li>
<li>
<p>
<strong>wizard.user hits</strong>: user identifications
</p>
</li>
</ul></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_ips_action_modules">IPS Action Modules</h2>
<div class="sectionbody">
<div class="paragraph"><p>IPS actions allow you to perform custom actions when events are generated.
Unlike loggers, these are invoked before thresholding and can be used to
control external agents.</p></div>
<div class="paragraph"><p>Externally defined actions must be configured to become available to the
parser.  For the reject rule, you can set reject = { } to get the rule to
parse.</p></div>
<div class="sect2">
<h3 id="_react">react</h3>
<div class="paragraph"><p>What: send response to client and terminate session</p></div>
<div class="paragraph"><p>Type: ips_action</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>react.msg</strong> = false:  use rule msg in response page instead of default message
</p>
</li>
<li>
<p>
string <strong>react.page</strong>: file containing HTTP response (headers and body)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_reject">reject</h3>
<div class="paragraph"><p>What: terminate session with TCP reset or ICMP unreachable</p></div>
<div class="paragraph"><p>Type: ips_action</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
enum <strong>reject.reset</strong>: send tcp reset to one or both ends { source|dest|both }
</p>
</li>
<li>
<p>
enum <strong>reject.control</strong>: send icmp unreachable(s) { network|host|port|all }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_rewrite">rewrite</h3>
<div class="paragraph"><p>What: overwrite packet contents</p></div>
<div class="paragraph"><p>Type: ips_action</p></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_ips_option_modules">IPS Option Modules</h2>
<div class="sectionbody">
<div class="paragraph"><p>IPS options are the building blocks of IPS rules.</p></div>
<div class="sect2">
<h3 id="_ack">ack</h3>
<div class="paragraph"><p>What: rule option to match on TCP ack numbers</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>ack.~range</strong>: check if packet payload size is <em>size | min&lt;&gt;max | &lt;max | &gt;min</em>
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_asn1">asn1</h3>
<div class="paragraph"><p>What: rule option for asn1 detection</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
implied <strong>asn1.bitstring_overflow</strong>: Detects invalid bitstring encodings that are known to be remotely exploitable.
</p>
</li>
<li>
<p>
implied <strong>asn1.double_overflow</strong>: Detects a double ASCII encoding that is larger than a standard buffer.
</p>
</li>
<li>
<p>
implied <strong>asn1.print</strong>: &lt;&gt;max | &lt;max | &gt;min
</p>
</li>
<li>
<p>
int <strong>asn1.oversize_length</strong>: Compares ASN.1 type lengths with the supplied argument. { 0: }
</p>
</li>
<li>
<p>
int <strong>asn1.absolute_offset</strong>: Absolute offset from the beginning of the packet. { 0: }
</p>
</li>
<li>
<p>
int <strong>asn1.relative_offset</strong>: relative offset from the cursor.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_base64_decode">base64_decode</h3>
<div class="paragraph"><p>What: rule option to decode base64 data - must be used with base64_data option</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>base64_decode.bytes</strong>: Number of base64 encoded bytes to decode. { 1: }
</p>
</li>
<li>
<p>
int <strong>base64_decode.offset</strong> = 0: Bytes past start of buffer to start decoding. { 0: }
</p>
</li>
<li>
<p>
implied <strong>base64_decode.relative</strong>: Apply offset to cursor instead of start of buffer.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_bufferlen">bufferlen</h3>
<div class="paragraph"><p>What: rule option to check length of current buffer</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>bufferlen.~range</strong>: len | min&lt;&gt;max | &lt;max | &gt;min
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_byte_extract">byte_extract</h3>
<div class="paragraph"><p>What: rule option to convert data to an integer variable</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>byte_extract.~count</strong>: number of bytes to pick up from the buffer { 1:10 }
</p>
</li>
<li>
<p>
int <strong>byte_extract.~offset</strong>: number of bytes into the buffer to start processing { -65535:65535 }
</p>
</li>
<li>
<p>
string <strong>byte_extract.~name</strong>: name of the variable that will be used in other rule options
</p>
</li>
<li>
<p>
implied <strong>byte_extract.relative</strong>: offset from cursor instead of start of buffer
</p>
</li>
<li>
<p>
int <strong>byte_extract.multiplier</strong> = 1: scale extracted value by given amount { 1:65535 }
</p>
</li>
<li>
<p>
int <strong>byte_extract.align</strong> = 0: round the number of converted bytes up to the next 2- or 4-byte boundary { 0:4 }
</p>
</li>
<li>
<p>
implied <strong>byte_extract.big</strong>: big endian
</p>
</li>
<li>
<p>
implied <strong>byte_extract.little</strong>: little endian
</p>
</li>
<li>
<p>
implied <strong>byte_extract.dce</strong>: dcerpc2 determines endianness
</p>
</li>
<li>
<p>
implied <strong>byte_extract.string</strong>: convert from string
</p>
</li>
<li>
<p>
implied <strong>byte_extract.hex</strong>: convert from hex string
</p>
</li>
<li>
<p>
implied <strong>byte_extract.oct</strong>: convert from octal string
</p>
</li>
<li>
<p>
implied <strong>byte_extract.dec</strong>: convert from decimal string
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_byte_jump">byte_jump</h3>
<div class="paragraph"><p>What: rule option to move the detection cursor</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>byte_jump.~count</strong>: number of bytes to pick up from the buffer { 1:10 }
</p>
</li>
<li>
<p>
string <strong>byte_jump.~offset</strong>: variable name or number of bytes into the buffer to start processing
</p>
</li>
<li>
<p>
implied <strong>byte_jump.relative</strong>: offset from cursor instead of start of buffer
</p>
</li>
<li>
<p>
implied <strong>byte_jump.from_beginning</strong>: jump from start of buffer instead of cursor
</p>
</li>
<li>
<p>
int <strong>byte_jump.multiplier</strong> = 1: scale extracted value by given amount { 1:65535 }
</p>
</li>
<li>
<p>
int <strong>byte_jump.align</strong> = 0: round the number of converted bytes up to the next 2- or 4-byte boundary { 0:4 }
</p>
</li>
<li>
<p>
int <strong>byte_jump.post_offset</strong> = 0: also skip forward or backwards (positive of negative value) this number of bytes { -65535:65535 }
</p>
</li>
<li>
<p>
implied <strong>byte_jump.big</strong>: big endian
</p>
</li>
<li>
<p>
implied <strong>byte_jump.little</strong>: little endian
</p>
</li>
<li>
<p>
implied <strong>byte_jump.dce</strong>: dcerpc2 determines endianness
</p>
</li>
<li>
<p>
implied <strong>byte_jump.string</strong>: convert from string
</p>
</li>
<li>
<p>
implied <strong>byte_jump.hex</strong>: convert from hex string
</p>
</li>
<li>
<p>
implied <strong>byte_jump.oct</strong>: convert from octal string
</p>
</li>
<li>
<p>
implied <strong>byte_jump.dec</strong>: convert from decimal string
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_byte_test">byte_test</h3>
<div class="paragraph"><p>What: rule option to convert data to integer and compare</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>byte_test.~count</strong>: number of bytes to pick up from the buffer { 1:10 }
</p>
</li>
<li>
<p>
string <strong>byte_test.~operator</strong>: variable name or number of bytes into the buffer to start processing
</p>
</li>
<li>
<p>
string <strong>byte_test.~compare</strong>: variable name or value to test the converted result against
</p>
</li>
<li>
<p>
string <strong>byte_test.~offset</strong>: variable name or number of bytes into the payload to start processing
</p>
</li>
<li>
<p>
implied <strong>byte_test.relative</strong>: offset from cursor instead of start of buffer
</p>
</li>
<li>
<p>
implied <strong>byte_test.big</strong>: big endian
</p>
</li>
<li>
<p>
implied <strong>byte_test.little</strong>: little endian
</p>
</li>
<li>
<p>
implied <strong>byte_test.dce</strong>: dcerpc2 determines endianness
</p>
</li>
<li>
<p>
implied <strong>byte_test.string</strong>: convert from string
</p>
</li>
<li>
<p>
implied <strong>byte_test.hex</strong>: convert from hex string
</p>
</li>
<li>
<p>
implied <strong>byte_test.oct</strong>: convert from octal string
</p>
</li>
<li>
<p>
implied <strong>byte_test.dec</strong>: convert from decimal string
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_classtype">classtype</h3>
<div class="paragraph"><p>What: general rule option for rule classification</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>classtype.~</strong>: classification for this rule
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_content">content</h3>
<div class="paragraph"><p>What: payload rule option for basic pattern matching</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>content.~data</strong>: data to match
</p>
</li>
<li>
<p>
implied <strong>content.nocase</strong>: case insensitive match
</p>
</li>
<li>
<p>
implied <strong>content.fast_pattern</strong>: use this content in the fast pattern matcher instead of the content selected by default
</p>
</li>
<li>
<p>
int <strong>content.fast_pattern_offset</strong> = 0: number of leading characters of this content the fast pattern matcher should exclude { 0: }
</p>
</li>
<li>
<p>
int <strong>content.fast_pattern_length</strong>: maximum number of characters from this content the fast pattern matcher should use { 1: }
</p>
</li>
<li>
<p>
string <strong>content.offset</strong>: var or number of bytes from start of buffer to start search
</p>
</li>
<li>
<p>
string <strong>content.depth</strong>: var or maximum number of bytes to search from beginning of buffer
</p>
</li>
<li>
<p>
string <strong>content.distance</strong>: var or number of bytes from cursor to start search
</p>
</li>
<li>
<p>
string <strong>content.within</strong>: var or maximum number of bytes to search from cursor
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_cvs">cvs</h3>
<div class="paragraph"><p>What: payload rule option for detecting specific attacks</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
implied <strong>cvs.invalid-entry</strong>: looks for an invalid Entry string
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_detection_filter">detection_filter</h3>
<div class="paragraph"><p>What: rule option to require multiple hits before a rule generates an event</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
enum <strong>detection_filter.track</strong>: track hits by source or destination IP address { by_src | by_dst }
</p>
</li>
<li>
<p>
int <strong>detection_filter.count</strong>: hits in interval before allowing the rule to fire { 1: }
</p>
</li>
<li>
<p>
int <strong>detection_filter.seconds</strong>: length of interval to count hits { 1: }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_dsize">dsize</h3>
<div class="paragraph"><p>What: rule option to test payload size</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>dsize.~range</strong>: check if packet payload size is <em>size | min&lt;&gt;max | &lt;max | &gt;min</em>
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_file_data">file_data</h3>
<div class="paragraph"><p>What: rule option to set detection cursor to file data</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
</div>
<div class="sect2">
<h3 id="_flags">flags</h3>
<div class="paragraph"><p>What: rule option to test TCP control flags</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>flags.~test_flags</strong>: these flags are tested
</p>
</li>
<li>
<p>
string <strong>flags.~mask_flags</strong>: these flags are don&#8217;t cares
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_flow">flow</h3>
<div class="paragraph"><p>What: rule option to check session properties</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
implied <strong>flow.to_client</strong>: match on server responses
</p>
</li>
<li>
<p>
implied <strong>flow.to_server</strong>: match on client requests
</p>
</li>
<li>
<p>
implied <strong>flow.from_client</strong>: same as to_server
</p>
</li>
<li>
<p>
implied <strong>flow.from_server</strong>: same as to_client
</p>
</li>
<li>
<p>
implied <strong>flow.established</strong>: match only during data transfer phase
</p>
</li>
<li>
<p>
implied <strong>flow.not_established</strong>: match only outside data transfer phase
</p>
</li>
<li>
<p>
implied <strong>flow.stateless</strong>: match regardless of stream state
</p>
</li>
<li>
<p>
implied <strong>flow.no_stream</strong>: match on raw packets only
</p>
</li>
<li>
<p>
implied <strong>flow.only_stream</strong>: match on reassembled packets only
</p>
</li>
<li>
<p>
implied <strong>flow.no_frag</strong>: match on raw packets only
</p>
</li>
<li>
<p>
implied <strong>flow.only_frag</strong>: match on defragmented packets only
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_flowbits">flowbits</h3>
<div class="paragraph"><p>What: rule option to set and test arbitrary boolean flags</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>flowbits.~command</strong>: set|reset|isset|etc.
</p>
</li>
<li>
<p>
string <strong>flowbits.~arg1</strong>: bits or group
</p>
</li>
<li>
<p>
string <strong>flowbits.~arg2</strong>: group if arg1 is bits
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_fragbits">fragbits</h3>
<div class="paragraph"><p>What: rule option to test IP frag flags</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>fragbits.~flags</strong>: these flags are tested
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_fragoffset">fragoffset</h3>
<div class="paragraph"><p>What: rule option to test IP frag offset</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>fragoffset.~range</strong>: check if packet payload size is <em>size | min&lt;&gt;max | &lt;max | &gt;min</em>
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_gid">gid</h3>
<div class="paragraph"><p>What: rule option specifying rule generator</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>gid.~</strong>: generator id { 1: }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_gtp_info">gtp_info</h3>
<div class="paragraph"><p>What: rule option to check gtp info element</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>gtp_info.~</strong>: info element to match
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_gtp_type">gtp_type</h3>
<div class="paragraph"><p>What: rule option to check gtp types</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>gtp_type.~</strong>: list of types to match
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_gtp_version">gtp_version</h3>
<div class="paragraph"><p>What: rule option to check gtp version</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>gtp_version.~</strong>: version to match { 0:2 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_http_client_body">http_client_body</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the request body</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
</div>
<div class="sect2">
<h3 id="_http_cookie">http_cookie</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP cookie</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
</div>
<div class="sect2">
<h3 id="_http_header">http_header</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized header(s)</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>http_header.~name</strong>: restrict to given header
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_http_method">http_method</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP request method</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
</div>
<div class="sect2">
<h3 id="_http_raw_cookie">http_raw_cookie</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized cookie</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
</div>
<div class="sect2">
<h3 id="_http_raw_header">http_raw_header</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized headers</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
</div>
<div class="sect2">
<h3 id="_http_raw_uri">http_raw_uri</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized URI</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
</div>
<div class="sect2">
<h3 id="_http_stat_code">http_stat_code</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP status code</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
</div>
<div class="sect2">
<h3 id="_http_stat_msg">http_stat_msg</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP status message</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
</div>
<div class="sect2">
<h3 id="_http_uri">http_uri</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized URI buffer</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
</div>
<div class="sect2">
<h3 id="_icmp_id">icmp_id</h3>
<div class="paragraph"><p>What: rule option to check ICMP ID</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>icmp_id.~range</strong>: check if icmp id is <em>id | min&lt;&gt;max | &lt;max | &gt;min</em>
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_icmp_seq">icmp_seq</h3>
<div class="paragraph"><p>What: rule option to check ICMP sequence number</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>icmp_seq.~range</strong>: check if icmp sequence number is <em>seq | min&lt;&gt;max | &lt;max | &gt;min</em>
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_icode">icode</h3>
<div class="paragraph"><p>What: rule option to check ICMP code</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>icode.~range</strong>: check if ICMP code is <em>code | min&lt;&gt;max | &lt;max | &gt;min</em>
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_id">id</h3>
<div class="paragraph"><p>What: rule option to check the IP ID field</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>id.~range</strong>: check if the IP ID is <em>id | min&lt;&gt;max | &lt;max | &gt;min</em>
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ip_proto">ip_proto</h3>
<div class="paragraph"><p>What: rule option to check the IP protocol number</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>ip_proto.~proto</strong>: [!|&gt;|&lt;] name or number
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ipopts">ipopts</h3>
<div class="paragraph"><p>What: rule option to check for IP options</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
select <strong>ipopts.~opt</strong>: output format { rr|eol|nop|ts|sec|esec|lsrr|lsrre|ssrr|satid|any }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_isdataat">isdataat</h3>
<div class="paragraph"><p>What: rule option to check for the presence of payload data</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>isdataat.~length</strong>: num | !num
</p>
</li>
<li>
<p>
implied <strong>isdataat.relative</strong>: offset from cursor instead of start of buffer
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_itype">itype</h3>
<div class="paragraph"><p>What: rule option to check ICMP type</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>itype.~range</strong>: check if icmp type is <em>type | min&lt;&gt;max | &lt;max | &gt;min</em>
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_md5">md5</h3>
<div class="paragraph"><p>What: payload rule option for hash matching</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>md5.~hash</strong>: data to match
</p>
</li>
<li>
<p>
int <strong>md5.length</strong>: number of octets in plain text { 1:65535 }
</p>
</li>
<li>
<p>
string <strong>md5.offset</strong>: var or number of bytes from start of buffer to start search
</p>
</li>
<li>
<p>
implied <strong>md5.relative</strong> = false: offset from cursor instead of start of buffer
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_metadata">metadata</h3>
<div class="paragraph"><p>What: rule option for conveying arbitrary name, value data within the rule text</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>metadata.service</strong>: service name
</p>
</li>
<li>
<p>
string <strong>metadata.</strong>*: additional parameters not used by snort
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_modbus_data">modbus_data</h3>
<div class="paragraph"><p>What: rule option to set cursor to modbus data</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
</div>
<div class="sect2">
<h3 id="_modbus_func">modbus_func</h3>
<div class="paragraph"><p>What: rule option to check modbus function code</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>modbus_func.~</strong>: function code to match
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_modbus_unit">modbus_unit</h3>
<div class="paragraph"><p>What: rule option to check modbus unit ID</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>modbus_unit.~</strong>: modbus unit ID { 0:255 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_msg">msg</h3>
<div class="paragraph"><p>What: rule option summarizing rule purpose output with events</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>msg.~</strong>: message describing rule
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_pcre">pcre</h3>
<div class="paragraph"><p>What: rule option for matching payload data with regex</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>pcre.~regex</strong>: Snort regular expression
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_pkt_data">pkt_data</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized packet data</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
</div>
<div class="sect2">
<h3 id="_pkt_num">pkt_num</h3>
<div class="paragraph"><p>What: alert on raw packet number</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>pkt_num.~range</strong>: check if packet number is in given range
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_priority">priority</h3>
<div class="paragraph"><p>What: rule option for prioritizing events</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>priority.~</strong>: relative severity level; 1 is highest priority { 1: }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_raw_data">raw_data</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the raw packet data</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
</div>
<div class="sect2">
<h3 id="_reference">reference</h3>
<div class="paragraph"><p>What: rule option to indicate relevant attack identification system</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>reference.~scheme</strong>: reference scheme
</p>
</li>
<li>
<p>
string <strong>reference.~id</strong>: reference id
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_rem">rem</h3>
<div class="paragraph"><p>What: rule option to convey an arbitrary comment in the rule body</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>rem.~</strong>: comment
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_replace">replace</h3>
<div class="paragraph"><p>What: rule option to overwrite payload data; use with rewrite action</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>replace.~</strong>: byte code to replace with
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_rev">rev</h3>
<div class="paragraph"><p>What: rule option to indicate current revision of signature</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>rev.~</strong>: revision { 1: }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_rpc">rpc</h3>
<div class="paragraph"><p>What: rule option to check SUNRPC CALL parameters</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>rpc.~app</strong>: application number
</p>
</li>
<li>
<p>
string <strong>rpc.~ver</strong>: version number or * for any
</p>
</li>
<li>
<p>
string <strong>rpc.~proc</strong>: procedure number or * for any
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_seq">seq</h3>
<div class="paragraph"><p>What: rule option to check TCP sequence number</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>seq.~range</strong>: check if packet payload size is <em>size | min&lt;&gt;max | &lt;max | &gt;min</em>
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_session">session</h3>
<div class="paragraph"><p>What: rule option to check user data from TCP sessions</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
enum <strong>session.~mode</strong>: output format { printable|binary|all }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_sha256">sha256</h3>
<div class="paragraph"><p>What: payload rule option for hash matching</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>sha256.~hash</strong>: data to match
</p>
</li>
<li>
<p>
int <strong>sha256.length</strong>: number of octets in plain text { 1:65535 }
</p>
</li>
<li>
<p>
string <strong>sha256.offset</strong>: var or number of bytes from start of buffer to start search
</p>
</li>
<li>
<p>
implied <strong>sha256.relative</strong> = false: offset from cursor instead of start of buffer
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_sha512">sha512</h3>
<div class="paragraph"><p>What: payload rule option for hash matching</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>sha512.~hash</strong>: data to match
</p>
</li>
<li>
<p>
int <strong>sha512.length</strong>: number of octets in plain text { 1:65535 }
</p>
</li>
<li>
<p>
string <strong>sha512.offset</strong>: var or number of bytes from start of buffer to start search
</p>
</li>
<li>
<p>
implied <strong>sha512.relative</strong> = false: offset from cursor instead of start of buffer
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_sid">sid</h3>
<div class="paragraph"><p>What: rule option to indicate signature number</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>sid.~</strong>: signature id { 1: }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_sip_body">sip_body</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the request body</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
</div>
<div class="sect2">
<h3 id="_sip_header">sip_header</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the SIP header buffer</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
</div>
<div class="sect2">
<h3 id="_sip_method">sip_method</h3>
<div class="paragraph"><p>What: detection option for sip stat code</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>sip_method.*method</strong>: sip method
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_sip_stat_code">sip_stat_code</h3>
<div class="paragraph"><p>What: detection option for sip stat code</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>sip_stat_code.*code</strong>: stat code { 1:999 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_so">so</h3>
<div class="paragraph"><p>What: rule option to call custom eval function</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>so.~func</strong>: name of eval function
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_soid">soid</h3>
<div class="paragraph"><p>What: rule option to specify a shared object rule ID</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>soid.~</strong>: SO rule ID has &lt;gid&gt;|&lt;sid&gt; format, like 3|12345
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ssl_state">ssl_state</h3>
<div class="paragraph"><p>What: detection option for ssl state</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
implied <strong>ssl_state.client_hello</strong>: check for client hello
</p>
</li>
<li>
<p>
implied <strong>ssl_state.server_hello</strong>: check for server hello
</p>
</li>
<li>
<p>
implied <strong>ssl_state.client_keyx</strong>: check for client keyx
</p>
</li>
<li>
<p>
implied <strong>ssl_state.server_keyx</strong>: check for server keyx
</p>
</li>
<li>
<p>
implied <strong>ssl_state.unknown</strong>: check for unknown record
</p>
</li>
<li>
<p>
implied <strong>ssl_state.!client_hello</strong>: check for records that are not client hello
</p>
</li>
<li>
<p>
implied <strong>ssl_state.!server_hello</strong>: check for records that are not server hello
</p>
</li>
<li>
<p>
implied <strong>ssl_state.!client_keyx</strong>: check for records that are not client keyx
</p>
</li>
<li>
<p>
implied <strong>ssl_state.!server_keyx</strong>: check for records that are not server keyx
</p>
</li>
<li>
<p>
implied <strong>ssl_state.!unknown</strong>: check for records that are not unknown
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ssl_version">ssl_version</h3>
<div class="paragraph"><p>What: detection option for ssl version</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
implied <strong>ssl_version.sslv2</strong>: check for sslv2
</p>
</li>
<li>
<p>
implied <strong>ssl_version.sslv3</strong>: check for sslv3
</p>
</li>
<li>
<p>
implied <strong>ssl_version.tls1.0</strong>: check for tls1.0
</p>
</li>
<li>
<p>
implied <strong>ssl_version.tls1.1</strong>: check for tls1.1
</p>
</li>
<li>
<p>
implied <strong>ssl_version.tls1.2</strong>: check for tls1.2
</p>
</li>
<li>
<p>
implied <strong>ssl_version.!sslv2</strong>: check for records that are not sslv2
</p>
</li>
<li>
<p>
implied <strong>ssl_version.!sslv3</strong>: check for records that are not sslv3
</p>
</li>
<li>
<p>
implied <strong>ssl_version.!tls1.0</strong>: check for records that are not tls1.0
</p>
</li>
<li>
<p>
implied <strong>ssl_version.!tls1.1</strong>: check for records that are not tls1.1
</p>
</li>
<li>
<p>
implied <strong>ssl_version.!tls1.2</strong>: check for records that are not tls1.2
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_stream_reassemble">stream_reassemble</h3>
<div class="paragraph"><p>What: detection option for stream reassembly control</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
enum <strong>stream_reassemble.action</strong>: stop or start stream reassembly { disable|enable }
</p>
</li>
<li>
<p>
enum <strong>stream_reassemble.direction</strong>: action applies to the given direction(s) { client|server|both }
</p>
</li>
<li>
<p>
implied <strong>stream_reassemble.noalert</strong>: don&#8217;t alert when rule matches
</p>
</li>
<li>
<p>
implied <strong>stream_reassemble.fastpath</strong>: optionally whitelist the remainder of the session
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_stream_size">stream_size</h3>
<div class="paragraph"><p>What: detection option for stream size checking</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>stream_size.~range</strong>: size for comparison
</p>
</li>
<li>
<p>
enum <strong>stream_size.~direction</strong>: compare applies to the given direction(s) { either|to_server|to_client|both }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_tag">tag</h3>
<div class="paragraph"><p>What: rule option to log additional packets</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
enum <strong>tag.~</strong>: log all packets in session or all packets to or from host { session|host_src|host_dst }
</p>
</li>
<li>
<p>
int <strong>tag.packets</strong>: tag this many packets { 1: }
</p>
</li>
<li>
<p>
int <strong>tag.seconds</strong>: tag for this many seconds { 1: }
</p>
</li>
<li>
<p>
int <strong>tag.bytes</strong>: tag for this many bytes { 1: }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_tos">tos</h3>
<div class="paragraph"><p>What: rule option to check type of service field</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>tos.~range</strong>: check if packet payload size is <em>size | min&lt;&gt;max | &lt;max | &gt;min</em>
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ttl">ttl</h3>
<div class="paragraph"><p>What: rule option to check time to live field</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>ttl.~range</strong>: check if packet payload size is <em>size | min&lt;&gt;max | &lt;max | &gt;min</em>
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_urg">urg</h3>
<div class="paragraph"><p>What: detection for TCP urgent pointer</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>urg.~range</strong>: check if urgent offset is min&lt;&gt;max | &lt;max | &gt;min
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_window">window</h3>
<div class="paragraph"><p>What: rule option to check TCP window field</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>window.~range</strong>: check if packet payload size is <em>size | min&lt;&gt;max | &lt;max | &gt;min</em>
</p>
</li>
</ul></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_search_engine_modules">Search Engine Modules</h2>
<div class="sectionbody">
<div class="paragraph"><p>Search engines perform multipattern searching of packets and payload to find
rules that should be evaluated.  There are currently no specific modules,
although there are several search engine plugins.  Related configuration
is done with the basic detection module.</p></div>
</div>
</div>
<div class="sect1">
<h2 id="_so_rule_modules">SO Rule Modules</h2>
<div class="sectionbody">
<div class="paragraph"><p>SO rules are dynamic rules that require custom coding to perform detection
not possible with the existing rule options.  These rules typically do not
have associated modules.</p></div>
</div>
</div>
<div class="sect1">
<h2 id="_logger_modules">Logger Modules</h2>
<div class="sectionbody">
<div class="paragraph"><p>All output of events and packets is done by Loggers.</p></div>
<div class="sect2">
<h3 id="_alert_csv">alert_csv</h3>
<div class="paragraph"><p>What: output event in csv format</p></div>
<div class="paragraph"><p>Type: logger</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>alert_csv.file</strong> = false: output to alert_csv.txt instead of stdout
</p>
</li>
<li>
<p>
multi <strong>alert_csv.fields</strong> = timestamp pkt_num proto pkt_gen dgm_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | dir | dgm_len | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | ip_id | ip_len | msg | pkt_gen | pkt_num | proto | rev | rule | sid | src_addr | src_ap | src_port | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len }
</p>
</li>
<li>
<p>
int <strong>alert_csv.limit</strong> = 0: set limit (0 is unlimited) { 0: }
</p>
</li>
<li>
<p>
string <strong>alert_csv.separator</strong> = , : separate fields with this character sequence
</p>
</li>
<li>
<p>
enum <strong>alert_csv.units</strong> = B: bytes | KB | MB | GB { B | K | M | G }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_alert_ex">alert_ex</h3>
<div class="paragraph"><p>What: output gid:sid:rev for alerts</p></div>
<div class="paragraph"><p>Type: logger</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>alert_ex.upper</strong> = false: true/false &#8594; convert to upper/lower case
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_alert_fast">alert_fast</h3>
<div class="paragraph"><p>What: output event with brief text format</p></div>
<div class="paragraph"><p>Type: logger</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>alert_fast.file</strong> = false: output to alert_fast.txt instead of stdout
</p>
</li>
<li>
<p>
bool <strong>alert_fast.packet</strong> = false: output packet dump with alert
</p>
</li>
<li>
<p>
int <strong>alert_fast.limit</strong> = 0: set limit (0 is unlimited) { 0: }
</p>
</li>
<li>
<p>
enum <strong>alert_fast.units</strong> = B: bytes | KB | MB | GB { B | K | M | G }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_alert_full">alert_full</h3>
<div class="paragraph"><p>What: output event with full packet dump</p></div>
<div class="paragraph"><p>Type: logger</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>alert_full.file</strong> = false: output to alert_full.txt instead of stdout
</p>
</li>
<li>
<p>
int <strong>alert_full.limit</strong> = 0: set limit (0 is unlimited) { 0: }
</p>
</li>
<li>
<p>
enum <strong>alert_full.units</strong> = B: limit is in bytes | KB | MB | GB { B | K | M | G }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_alert_syslog">alert_syslog</h3>
<div class="paragraph"><p>What: output event to syslog</p></div>
<div class="paragraph"><p>Type: logger</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
enum <strong>alert_syslog.facility</strong> = auth: part of priority applied to each message { auth | authpriv | daemon | user | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 }
</p>
</li>
<li>
<p>
enum <strong>alert_syslog.level</strong> = info: part of priority applied to each message { emerg | alert | crit | err | warning | notice | info | debug }
</p>
</li>
<li>
<p>
multi <strong>alert_syslog.options</strong>: used to open the syslog connection { cons | ndelay | perror | pid }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_alert_unixsock">alert_unixsock</h3>
<div class="paragraph"><p>What: output event over unix socket</p></div>
<div class="paragraph"><p>Type: logger</p></div>
</div>
<div class="sect2">
<h3 id="_log_codecs">log_codecs</h3>
<div class="paragraph"><p>What: log protocols in packet by layer</p></div>
<div class="paragraph"><p>Type: logger</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>log_codecs.file</strong> = false: output to log_codecs.txt instead of stdout
</p>
</li>
<li>
<p>
bool <strong>log_codecs.msg</strong> = false: include alert msg
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_log_hext">log_hext</h3>
<div class="paragraph"><p>What: output payload suitable for daq hext</p></div>
<div class="paragraph"><p>Type: logger</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>log_hext.file</strong> = false: output to log_hext.txt instead of stdout
</p>
</li>
<li>
<p>
bool <strong>log_hext.raw</strong> = false: output all full packets if true, else just TCP payload
</p>
</li>
<li>
<p>
int <strong>log_hext.limit</strong> = 0: set limit (0 is unlimited) { 0: }
</p>
</li>
<li>
<p>
enum <strong>log_hext.units</strong> = B: bytes | KB | MB | GB { B | K | M | G }
</p>
</li>
<li>
<p>
int <strong>log_hext.width</strong> = 20: set line width (0 is unlimited) { 0: }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_log_pcap">log_pcap</h3>
<div class="paragraph"><p>What: log packet in pcap format</p></div>
<div class="paragraph"><p>Type: logger</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>log_pcap.limit</strong> = 0: set limit (0 is unlimited) { 0: }
</p>
</li>
<li>
<p>
enum <strong>log_pcap.units</strong> = B: bytes | KB | MB | GB { B | K | M | G }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_unified2">unified2</h3>
<div class="paragraph"><p>What: output event and packet in unified2 format file</p></div>
<div class="paragraph"><p>Type: logger</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>unified2.limit</strong> = 0: set limit (0 is unlimited) { 0: }
</p>
</li>
<li>
<p>
enum <strong>unified2.units</strong> = B: limit multiplier { B | K | M | G }
</p>
</li>
<li>
<p>
bool <strong>unified2.nostamp</strong> = true: append file creation time to name (in Unix Epoch format)
</p>
</li>
<li>
<p>
bool <strong>unified2.mpls_event_types</strong> = false: include mpls labels in events
</p>
</li>
<li>
<p>
bool <strong>unified2.vlan_event_types</strong> = false: include vlan IDs in events
</p>
</li>
</ul></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_daq_modules">DAQ Modules</h2>
<div class="sectionbody">
<div class="paragraph"><p>The Data AcQuisition library (DAQ), provides pluggable packet I/O.  The DAQ
replaces direct calls to libraries like libpcap with an abstraction layer
that facilitates operation on a variety of hardware and software interfaces
without requiring changes to Snort.  It is possible to select the DAQ type
and mode when invoking Snort to perform pcap readback or inline operation,
etc.  The DAQ library may be useful for other packet processing
applications and the modular nature allows you to build new modules for
other platforms.</p></div>
<div class="paragraph"><p>The DAQ library is provided as an external package on snort.org.  There are
a few additional modules provided with Snort++.  This section summarizes
the important things you need to know to use these DAQ modules.  There are
also 3rd DAQ modules available.</p></div>
<div class="sect2">
<h3 id="_building_the_daq_library_and_daq_modules">Building the DAQ Library and DAQ Modules</h3>
<div class="paragraph"><p>The DAQ is bundled with Snort but must be built first using these steps:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>./configure
make
sudo make install</code></pre>
</div></div>
<div class="paragraph"><p>This will build and install both static and dynamic DAQ modules.</p></div>
<div class="paragraph"><p>Note that pcap &gt;= 1.0.0 is required.  pcap 1.1.1 is available at the time
of this writing and is recommended.</p></div>
<div class="paragraph"><p>Also, libdnet is required for IPQ and NFQ DAQs.  If you get a relocation error
trying to build those DAQs, you may need to reinstall libdnet and configure it
with something like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>./configure "CFLAGS=-fPIC -g -O2"</code></pre>
</div></div>
<div class="paragraph"><p>You may also experience problems trying to find the dynamic dnet library
because it isn&#8217;t always named properly.  Try creating a link to the shared
library (identified by its .x or .x.y etc. extension) with the same name but
with ".so" inserted as follows:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>$ ln -s libdnet.1.1 libdnet.so.1.1
$ ldconfig -Rv /usr/local/lib 2&gt;&amp;1 | grep dnet
  Adding /usr/local/lib/libdnet.so.1.1</code></pre>
</div></div>
<div class="paragraph"><p>Alternatively, you should be able to fix both issues as follows:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>libtoolize --copy --force
aclocal -I config
autoheader
autoconf
automake --foreign</code></pre>
</div></div>
<div class="paragraph"><p>When the DAQ library is built, both static and dynamic flavors will be
generated.  The various DAQ modules will be built if the requisite headers and
libraries are available.  You can disable individual modules, etc. with options
to configure.  For the complete list of configure options, run:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>./configure --help</code></pre>
</div></div>
</div>
<div class="sect2">
<h3 id="_pcap_module">PCAP Module</h3>
<div class="paragraph"><p>pcap is the default DAQ.  If snort is run w/o any DAQ arguments, it will
operate as it always did using this module.  These are equivalent:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>./snort -i &lt;device&gt;
./snort -r &lt;file&gt;</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>./snort --daq pcap --daq-mode passive -i &lt;device&gt;
./snort --daq pcap --daq-mode read-file -r &lt;file&gt;</code></pre>
</div></div>
<div class="paragraph"><p>You can specify the buffer size pcap uses with:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>./snort --daq pcap --daq-var buffer_size=&lt;#bytes&gt;</code></pre>
</div></div>
<div class="ulist"><ul>
<li>
<p>
The pcap DAQ does not count filtered packets. *
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_afpacket_module">AFPACKET Module</h3>
<div class="paragraph"><p>afpacket functions similar to the pcap DAQ but with better performance:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>./snort --daq afpacket -i &lt;device&gt;
        [--daq-var buffer_size_mb=&lt;#MB&gt;]
        [--daq-var debug]</code></pre>
</div></div>
<div class="paragraph"><p>If you want to run afpacket in inline mode, you must craft the device string as
one or more interface pairs, where each member of a pair is separated by a
single colon and each pair is separated by a double colon like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>eth0:eth1</code></pre>
</div></div>
<div class="paragraph"><p>or this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>eth0:eth1::eth2:eth3</code></pre>
</div></div>
<div class="paragraph"><p>By default, the afpacket DAQ allocates 128MB for packet memory.  You can change
this with:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>--daq-var buffer_size_mb=&lt;#MB&gt;</code></pre>
</div></div>
<div class="paragraph"><p>Note that the total allocated is actually higher, here&#8217;s why.  Assuming the
default packet memory with a snaplen of 1518, the numbers break down like this:</p></div>
<div class="ulist"><ul>
<li>
<p>
The frame size is 1518 (snaplen) + the size of the AFPacket header (66
  bytes) = 1584 bytes.
</p>
</li>
<li>
<p>
The number of frames is 128 MB / 1518 = 84733.
</p>
</li>
<li>
<p>
The smallest block size that can fit at least one frame is  4 KB = 4096 bytes
  @ 2 frames per block.
</p>
</li>
<li>
<p>
As a result, we need 84733 / 2 = 42366 blocks.
</p>
</li>
<li>
<p>
Actual memory allocated is 42366 * 4 KB = 165.5 MB.
</p>
</li>
</ul></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<img src="./images/icons/note.png" alt="Note" />
</td>
<td class="content">Linux kernel version 2.6.31 or higher is required for the AFPacket DAQ
module due to its dependency on both TPACKET v2 and PACKET_TX_RING support.</td>
</tr></table>
</div>
</div>
<div class="sect2">
<h3 id="_nfq_module">NFQ Module</h3>
<div class="paragraph"><p>NFQ is the new and improved way to process iptables packets:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>./snort --daq nfq \
    [--daq-var device=&lt;dev&gt;] \
    [--daq-var proto=&lt;proto&gt;] \
    [--daq-var queue=&lt;qid&gt;]</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>&lt;dev&gt; ::= ip | eth0, etc; default is IP injection
&lt;proto&gt; ::= ip4 | ip6 |; default is ip4
&lt;qid&gt; ::= 0..65535; default is 0</code></pre>
</div></div>
<div class="paragraph"><p>This module can not run unprivileged so ./snort -u -g will produce a warning
and won&#8217;t change user or group.</p></div>
<div class="paragraph"><p>Notes on iptables are given below.</p></div>
</div>
<div class="sect2">
<h3 id="_ipq_module">IPQ Module</h3>
<div class="paragraph"><p>IPQ is the old way to process iptables packets.  It replaces the inline version
available in pre-2.9 versions built with this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>./configure --enable-inline</code></pre>
</div></div>
<div class="paragraph"><p>Note that layer 2 resets are not supported with the IPQ DAQ:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>config layer2resets[: &lt;mac&gt;]</code></pre>
</div></div>
<div class="paragraph"><p>Start the IPQ DAQ as follows:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>./snort --daq ipq \
    [--daq-var device=&lt;dev&gt;] \
    [--daq-var proto=&lt;proto&gt;] \</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>&lt;dev&gt; ::= ip | eth0, etc; default is IP injection
&lt;proto&gt; ::= ip4 | ip6; default is ip4</code></pre>
</div></div>
<div class="paragraph"><p>This module can not run unprivileged so ./snort -u -g will produce a warning
and won&#8217;t change user or group.</p></div>
<div class="paragraph"><p>Notes on iptables are given below.</p></div>
</div>
<div class="sect2">
<h3 id="_ipfw_module">IPFW Module</h3>
<div class="paragraph"><p>IPFW is available for BSD systems.  It replaces the inline version available in
pre-2.9 versions built with this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>./configure --enable-ipfw</code></pre>
</div></div>
<div class="paragraph"><p>This command line argument is no longer supported:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>./snort -J &lt;port#&gt;</code></pre>
</div></div>
<div class="paragraph"><p>Instead, start Snort like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>./snort --daq ipfw [--daq-var port=&lt;port&gt;]</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>&lt;port&gt; ::= 1..65535; default is 8000</code></pre>
</div></div>
<div class="ulist"><ul>
<li>
<p>
IPFW only supports ip4 traffic.
</p>
</li>
</ul></div>
<div class="paragraph"><p>Notes on FreeBSD and OpenBSD are given below.</p></div>
</div>
<div class="sect2">
<h3 id="_dump_module">Dump Module</h3>
<div class="paragraph"><p>The dump DAQ allows you to test the various inline mode features available in
2.9 Snort like injection and normalization.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>./snort -i &lt;device&gt; --daq dump
./snort -r &lt;pcap&gt; --daq dump</code></pre>
</div></div>
<div class="paragraph"><p>By default a file named inline-out.pcap will be created containing all packets
that passed through or were generated by snort.  You can optionally specify a
different name.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>./snort --daq dump --daq-var file=&lt;name&gt;</code></pre>
</div></div>
<div class="paragraph"><p>dump uses the pcap daq for packet acquisition.  It therefore does not count
filtered packets (a pcap limitation).</p></div>
<div class="paragraph"><p>Note that the dump DAQ inline mode is not an actual inline mode.  Furthermore,
you will probably want to have the pcap DAQ acquire in another mode like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>./snort -r &lt;pcap&gt; -Q --daq dump --daq-var load-mode=read-file
./snort -i &lt;device&gt; -Q --daq dump --daq-var load-mode=passive</code></pre>
</div></div>
</div>
<div class="sect2">
<h3 id="_netmap_module">Netmap Module</h3>
<div class="paragraph"><p>The netmap project is a framework for very high speed packet I/O.  It is
available on both FreeBSD and Linux with varying amounts of preparatory
setup required.  Specific notes for each follow.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>./snort --daq netmap -i &lt;device&gt;
        [--daq-var debug]</code></pre>
</div></div>
<div class="paragraph"><p>If you want to run netmap in inline mode, you must craft the device string as
one or more interface pairs, where each member of a pair is separated by a
single colon and each pair is separated by a double colon like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>em1:em2</code></pre>
</div></div>
<div class="paragraph"><p>or this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>em1:em2::em3:em4</code></pre>
</div></div>
<div class="paragraph"><p>Inline operation performs Layer 2 forwarding with no MAC filtering, akin to the
AFPacket module&#8217;s behavior.  All packets received on one interface in an inline
pair will be forwarded out the other interface unless dropped by the reader and
vice versa.</p></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<img src="./images/icons/important.png" alt="Important" />
</td>
<td class="content">The interfaces will need to be up and in promiscuous mode in order to
function (<em>ifconfig em1 up promisc</em>).  The DAQ module does not currently do
either of these configuration steps for itself.</td>
</tr></table>
</div>
<div class="sect3">
<h4 id="_freebsd">FreeBSD</h4>
<div class="paragraph"><p>In FreeBSD 10.0, netmap has been integrated into the core OS.  In order to use
it, you must recompile your kernel with the line</p></div>
<div class="literalblock">
<div class="content">
<pre><code>device netmap</code></pre>
</div></div>
<div class="paragraph"><p>added to your kernel config.</p></div>
</div>
<div class="sect3">
<h4 id="_linux">Linux</h4>
<div class="paragraph"><p>You will need to download the netmap source code from the project&#8217;s repository:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>https://code.google.com/p/netmap/</code></pre>
</div></div>
<div class="paragraph"><p>Follow the instructions on the project&#8217;s homepage for compiling and installing
the code:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>http://info.iet.unipi.it/~luigi/netmap/</code></pre>
</div></div>
<div class="paragraph"><p>It will involve a standalone kernel module (netmap_lin) as well as patching and
rebuilding the kernel module used to drive your network adapters. The following
drivers are supported under Linux at the time of writing (June 2014):</p></div>
<div class="literalblock">
<div class="content">
<pre><code>e1000
e1000e
forcedeth
igb
ixgbe
r8169
virtio</code></pre>
</div></div>
<div class="paragraph"><p>TODO:</p></div>
<div class="ulist"><ul>
<li>
<p>
Support for attaching to only a single ring (queue) on a network adapter.
</p>
</li>
<li>
<p>
Support for VALE and netmap pipes.
</p>
</li>
</ul></div>
</div>
</div>
<div class="sect2">
<h3 id="_notes_on_iptables">Notes on iptables</h3>
<div class="paragraph"><p>These notes are just a quick reminder that you need to set up iptables to use
the IPQ or NFQ DAQs.  Doing so may cause problems with your network so tread
carefully.  The examples below are intentionally incomplete so please read the
related documentation first.</p></div>
<div class="paragraph"><p>Here is a blog post by Marty for historical reference:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>http://archives.neohapsis.com/archives/snort/2000-11/0394.html</code></pre>
</div></div>
<div class="paragraph"><p>You can check this out for queue sizing tips:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>http://www.inliniac.net/blog/2008/01/23/improving-snort_inlines-nfq-performance.html</code></pre>
</div></div>
<div class="paragraph"><p>You might find useful IPQ info here:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>http://snort-inline.sourceforge.net/</code></pre>
</div></div>
<div class="paragraph"><p>Use this to examine your iptables:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>sudo /sbin/iptables -L</code></pre>
</div></div>
<div class="paragraph"><p>Use something like this to set up NFQ:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>sudo /sbin/iptables
    -I &lt;table&gt; [&lt;protocol stuff&gt;] [&lt;state stuff&gt;]
    -j NFQUEUE --queue-num 1</code></pre>
</div></div>
<div class="paragraph"><p>Use something like this to set up IPQ:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>sudo iptables -I FORWARD -j QUEUE</code></pre>
</div></div>
<div class="paragraph"><p>Use something like this to "disconnect" snort:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>sudo /sbin/iptables -D &lt;table&gt; &lt;rule pos&gt;</code></pre>
</div></div>
<div class="paragraph"><p>Be sure to start Snort prior to routing packets through NFQ with iptables.
Such packets will be dropped until Snort is started.</p></div>
<div class="paragraph"><p>The queue-num is the number you must give Snort.</p></div>
<div class="paragraph"><p>If you are running on a system with both NFQ and IPQ support, you may
experience some start-up failures of the sort:</p></div>
<div class="paragraph"><p>The solution seems to be to remove both modules from the kernel like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>modprobe -r nfnetlink_queue
modprobe -r ip_queue</code></pre>
</div></div>
<div class="paragraph"><p>and then install the module you want:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>modprobe ip_queue</code></pre>
</div></div>
<div class="paragraph"><p>or:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>modprobe nfnetlink_queue</code></pre>
</div></div>
<div class="paragraph"><p>These DAQs should be run with a snaplen of 65535 since the kernel defrags the
packets before queuing.  Also, no need to configure frag3.</p></div>
</div>
<div class="sect2">
<h3 id="_notes_on_freebsd_ipfw">Notes on FreeBSD::IPFW</h3>
<div class="paragraph"><p>Check the online manual at:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>http://www.freebsd.org/doc/handbook/firewalls-ipfw.html.</code></pre>
</div></div>
<div class="paragraph"><p>Here is a brief example to divert icmp packets to Snort at port 8000:</p></div>
<div class="paragraph"><p>To enable support for divert sockets, place the following lines in the
kernel configuration file:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>options IPFIREWALL
options IPDIVERT</code></pre>
</div></div>
<div class="paragraph"><p>(The file in this case was: /usr/src/sys/i386/conf/GENERIC; which is platform
dependent.)</p></div>
<div class="paragraph"><p>You may need to also set these to use the loadable kernel modules:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>/etc/rc.conf:
firewall_enable="YES"</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>/boot/loader.conf:
ipfw_load="YES"
ipdivert_load="YES"</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>$ dmesg | grep ipfw
ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rule-based
forwarding disabled, default to deny, logging disabled</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>$ kldload -v ipdivert
Loaded ipdivert, id=4</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>$ ipfw add 75 divert 8000 icmp from any to any
00075 divert 8000 icmp from any to any</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>$ ipfw list
...
00075 divert 8000 icmp from any to any
00080 allow icmp from any to any
...</code></pre>
</div></div>
<div class="ulist"><ul>
<li>
<p>
Note that on FreeBSD, divert sockets don&#8217;t work with bridges!
</p>
</li>
</ul></div>
<div class="paragraph"><p>Please refer to the following articles for more information:</p></div>
<div class="ulist"><ul>
<li>
<p>
<a href="https://forums.snort.org/forums/support/topics/snort-inline-on-freebsd-ipfw">https://forums.snort.org/forums/support/topics/snort-inline-on-freebsd-ipfw</a>
</p>
</li>
<li>
<p>
<a href="http://freebsd.rogness.net/snort_inline/">http://freebsd.rogness.net/snort_inline/</a>
</p>
</li>
</ul></div>
<div class="paragraph"><p>NAT gateway can be used with divert sockets if the network environment is
conducive to using NAT.</p></div>
<div class="paragraph"><p>The steps to set up NAT with ipfw are as follows:</p></div>
<div class="olist arabic"><ol class="arabic">
<li>
<p>
Set up NAT with two interface em0 and em1 by adding the following to
/etc/rc.conf.  Here em0 is connected to external network and em1 to
host-only LAN.
</p>
<div class="literalblock">
<div class="content">
<pre><code>gateway_enable="YES"
natd_program="/sbin/natd"   # path to natd
natd_enable="YES"           # Enable natd (if firewall_enable == YES)
natd_interface="em0"       # Public interface or IP Address
natd_flags="-dynamic"       # Additional flags
defaultrouter=""
ifconfig_em0="DHCP"
ifconfig_em1="inet 192.168.1.2 netmask 255.255.255.0"
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="simple"</code></pre>
</div></div>
</li>
<li>
<p>
Add the following divert rules to divert packets to Snort above and
below the NAT rule in the "Simple" section of /etc/rc.firewall.
</p>
<div class="literalblock">
<div class="content">
<pre><code>...
# Inspect outbound packets (those arriving on "inside" interface)
# before NAT translation.
${fwcmd} add divert 8000 all from any to any in via ${iif}
case ${natd_enable} in
[Yy][Ee][Ss])
    if [ -n "${natd_interface}" ]; then
        ${fwcmd} add divert natd all from any to any via ${natd_interface}
    fi
    ;;
esac
...
# Inspect inbound packets (those arriving on "outside" interface)
# after NAT translation that aren't blocked for other reasons,
# after the TCP "established" rule.
${fwcmd} add divert 8000 all from any to any in via ${oif}</code></pre>
</div></div>
</li>
</ol></div>
</div>
<div class="sect2">
<h3 id="_notes_on_openbsd_ipfw">Notes on OpenBSD::IPFW</h3>
<div class="paragraph"><p>OpenBSD supports divert sockets as of 4.7, so we use the ipfw DAQ.</p></div>
<div class="paragraph"><p>Here is one way to set things up:</p></div>
<div class="olist arabic"><ol class="arabic">
<li>
<p>
Configure the system to forward packets:
</p>
<div class="literalblock">
<div class="content">
<pre><code>$ sysctl net.inet.ip.forwarding=1
$ sysctl net.inet6.ip6.forwarding=1</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>(You can also put that in /etc/sysctl.conf to enable on boot.)</code></pre>
</div></div>
</li>
<li>
<p>
Set up interfaces
</p>
<div class="literalblock">
<div class="content">
<pre><code>$ dhclient vic1
$ dhclient vic2</code></pre>
</div></div>
</li>
<li>
<p>
Set up packet filter rules:
</p>
<div class="literalblock">
<div class="content">
<pre><code>$ echo "pass out on vic1 divert-packet port 9000 keep-state" &gt; rules.txt
$ echo "pass out on vic2 divert-packet port 9000 keep-state" &gt;&gt; rules.txt</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>$ pfctl -v -f rules.txt</code></pre>
</div></div>
</li>
<li>
<p>
Analyze packets diverted to port 9000:
</p>
<div class="literalblock">
<div class="content">
<pre><code>$ ./snort --daq ipfw --daq-var port=9000</code></pre>
</div></div>
<div class="ulist"><ul>
<li>
<p>
Note that on OpenBSD, divert sockets don&#8217;t work with bridges!
</p>
</li>
</ul></div>
</li>
</ol></div>
</div>
<div class="sect2">
<h3 id="_socket_module">Socket Module</h3>
<div class="paragraph"><p>The socket module provides provides a stream socket server that will accept
up to 2 simultaneous connections and bridge them together while also
passing data to Snort++ for inspection.  The first connection accepted is
considered the client and the second connection accepted is considered the
server.  If there is only one connection, stream data can&#8217;t be forwarded
but it is still inspected.</p></div>
<div class="paragraph"><p>Each read from a socket of up to snaplen bytes is passed as a packet to
Snort++ along with a DAQ_SktHdr_t pointer in DAQ_PktHdr_t&#8594;priv_ptr.
DAQ_SktHdr_t conveys IP4 address, ports, protocol, and direction.  Socket
packets can be configured to be TCP or UDP.  The socket DAQ can be operated
in inline mode and is able to block packets.</p></div>
<div class="paragraph"><p>The socket DAQ uses DLT_SOCKET and requires that Snort++ load the socket
codec which is included in the extra package.</p></div>
<div class="paragraph"><p>To use the socket DAQ, start Snort++ like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>./snort --plugin-path /path/to/lib/snort_extra \
    --daq socket [--daq-var port=&lt;port&gt;] [--daq-var proto=&lt;proto&gt;] [-Q]</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>&lt;port&gt; ::= 1..65535; default is 8000
&lt;proto&gt; ::= tcp | udp</code></pre>
</div></div>
<div class="ulist"><ul>
<li>
<p>
This module only supports ip4 traffic.
</p>
</li>
<li>
<p>
This module is only supported by Snort++.  It is not compatible with
  Snort.
</p>
</li>
<li>
<p>
This module is primarily for development and test.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_file_module">File Module</h3>
<div class="paragraph"><p>The file module provides the ability to process files directly w/o having
to extract them from pcaps.  Use the file module with Snort&#8217;s stream_file
to get file type identification and signature services.  The usual IPS
detection and logging etc. is available too.</p></div>
<div class="paragraph"><p>You can process all the files in a directory recursively using 8 threads
with these Snort options:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>--pcap-dir path -z 8</code></pre>
</div></div>
<div class="ulist"><ul>
<li>
<p>
This module is only supported by Snort++.  It is not compatible with
  Snort.
</p>
</li>
<li>
<p>
This module is primarily for development and test.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_hext_module">Hext Module</h3>
<div class="paragraph"><p>The hext module generates packets suitable for processing by Snort from
hex/plain text.  Raw packets include full headers and are processed
normally.  Otherwise the packets contain only payload and are accompanied
with flow information (4-tuple) suitable for processing by stream_user.</p></div>
<div class="paragraph"><p>The first character of the line determines it&#8217;s purpose:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>'$' command
'#' comment
'"' quoted string packet data
'x' hex packet data
' ' empty line separates packets</code></pre>
</div></div>
<div class="paragraph"><p>The available commands are:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>$client &lt;ip4&gt; &lt;port&gt;
$server &lt;ip4&gt; &lt;port&gt;</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>$packet -&gt; client
$packet -&gt; server</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>$packet &lt;addr&gt; &lt;port&gt; -&gt; &lt;addr&gt; &lt;port&gt;</code></pre>
</div></div>
<div class="paragraph"><p>Client and server are determined as follows.  $packet &#8594; client indicates
to the client (from server) and $packet &#8594; server indicates a packet to the
server (from client).  $packet followed by a 4-tuple uses the heuristic
that the client is the side with the lower port number.</p></div>
<div class="paragraph"><p>The default client and server are 192.168.1.1 12345 and 10.1.2.3 80
respectively.  $packet commands with a 4-tuple do not change client and
server set with the other $packet commands.</p></div>
<div class="paragraph"><p>$packet commands should be followed by packet data, which may contain any
combination of hex and strings.  Data for a packet ends with the next
command or a blank line.  Data after a blank line will start another packet
with the same tuple as the prior one.</p></div>
<div class="paragraph"><p>Strings may contain the following escape sequences:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>\r = 0x0D = carriage return
\n = 0x0A = new line
\t = 0x09 = tab
\\ = 0x5C = \</code></pre>
</div></div>
<div class="paragraph"><p>Format your input carefully; there is minimal error checking and little
tolerance for arbitrary whitespace.  You can use Snort&#8217;s -L hext option to
generate hext input from a pcap.</p></div>
<div class="ulist"><ul>
<li>
<p>
This module only supports ip4 traffic.
</p>
</li>
<li>
<p>
This module is only supported by Snort++.  It is not compatible with
  Snort.
</p>
</li>
<li>
<p>
This module is primarily for development and test.
</p>
</li>
</ul></div>
<div class="paragraph"><p>The hext DAQ also supports a raw mode which is activated by setting the
data link type.  For example, you can input full ethernet packets with
--daq-var dlt=1 (Data link types are defined in the DAQ include
sfbpf_dlt.h.)  Combine that with the hext logger in raw mode for a quick
(and dirty) way to edit pcaps.  With --lua "log_hext = { raw = true }", the
hext logger will dump the full packet in a way that can be read by the hext
DAQ in raw mode.  Here is an example:</p></div>
<div class="literalblock">
<div class="content">
<pre><code># 3 [96]</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>x02 09 08 07 06 05 02 01 02 03 04 05 08 00 45 00 00 52 00 03  # ..............E..R..
x00 00 40 06 5C 90 0A 01 02 03 0A 09 08 07 BD EC 00 50 00 00  # ..@.\............P..
x00 02 00 00 00 02 50 10 20 00 8A E1 00 00 47 45 54 20 2F 74  # ......P.  .....GET /t
x72 69 67 67 65 72 2F 31 20 48 54 54 50 2F 31 2E 31 0D 0A 48  # rigger/1 HTTP/1.1..H
x6F 73 74 3A 20 6C 6F 63 61 6C 68 6F 73 74 0D 0A              # ost: localhost..</code></pre>
</div></div>
<div class="paragraph"><p>A comment indicating packet number and size precedes each packet dump.
Note that the commands are not applicable in raw mode and have no effect.</p></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_snort_vs_snort">Snort++ vs Snort</h2>
<div class="sectionbody">
<div class="paragraph"><p>Snort++ differs from Snort in the following ways:</p></div>
<div class="ulist"><ul>
<li>
<p>
command line and conf file syntax made more uniform
</p>
</li>
<li>
<p>
removed unused and deprecated features
</p>
</li>
<li>
<p>
remove as many barriers to successful run as possible
  (e.g.: no upper bounds on memcaps)
</p>
</li>
<li>
<p>
assume the simplest mode of operation
  (e.g.: never assume input from or output to some hardcoded filename)
</p>
</li>
<li>
<p>
all Snort config options are grouped into Snort++ modules
</p>
</li>
</ul></div>
<div class="sect2">
<h3 id="_build_options">Build Options</h3>
<div class="ulist"><ul>
<li>
<p>
configure --with-lib{pcap,pcre}-* &#8594; --with-{pcap,pcre}-*
</p>
</li>
<li>
<p>
control socket, cs_dir, and users were deleted
</p>
</li>
<li>
<p>
POLICY_BY_ID_ONLY code was deleted
</p>
</li>
<li>
<p>
hardened --enable-inline-init-failopen / INLINE_FAILOPEN
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_command_line">Command Line</h3>
<div class="ulist"><ul>
<li>
<p>
--pause loads config and waits for resume before processing packets
</p>
</li>
<li>
<p>
--require-rule-sid is hardened
</p>
</li>
<li>
<p>
--shell enables interactive Lua shell
</p>
</li>
<li>
<p>
-T is assumed if no input given
</p>
</li>
<li>
<p>
added --help-config prefix to dump all matching settings
</p>
</li>
<li>
<p>
added --script-path
</p>
</li>
<li>
<p>
added -K text; -K text/pcap is old dump/log mode
</p>
</li>
<li>
<p>
added -z &lt;#&gt; and --max-packet-threads &lt;#&gt;
</p>
</li>
<li>
<p>
delete --enable-mpls-multicast, --enable-mpls-overlapping-ip,
  --max-mpls-labelchain-len, --mpls-payload-type
</p>
</li>
<li>
<p>
deleted --pid-path and --no-interface-pidfile
</p>
</li>
<li>
<p>
deleting command line options which will be available with --lua or some such including:
  -I, -h, -F, -p, --disable-inline-init-failopen
</p>
</li>
<li>
<p>
hardened -n &lt; 0
</p>
</li>
<li>
<p>
removed --search-method
</p>
</li>
<li>
<p>
replaced "unknown args are bpf" with --bpf
</p>
</li>
<li>
<p>
replaced --dynamic-*-lib[-dir] with --plugin-path (with : separators)
</p>
</li>
<li>
<p>
removed -b, -N, -Z and, --perfmon-file options
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_conf_file">Conf File</h3>
<div class="ulist"><ul>
<li>
<p>
Snort++ has a default unicode.map
</p>
</li>
<li>
<p>
Snort++ will not enforce an upper bound on memcaps and the like within 64 bits
</p>
</li>
<li>
<p>
Snort++ will supply a default *_global config if not specified
  (Snort would fatal; e.g. http_inspect_server w/o http_inspect_global)
</p>
</li>
<li>
<p>
address list syntax changes: [[ and ]] must be [ [ and ] ] to avoid Lua string
  parsing errors (unless in quoted string)
</p>
</li>
<li>
<p>
because the Lua conf is live code, we lose file:line locations in app error messages
  (syntax errors from Lua have file:line)
</p>
</li>
<li>
<p>
changed search-method names for consistency
</p>
</li>
<li>
<p>
delete config include_vlan_in_alerts (not used in code)
</p>
</li>
<li>
<p>
delete config so_rule_memcap (not used in code)
</p>
</li>
<li>
<p>
deleted --disable-attribute-table-reload-thread
</p>
</li>
<li>
<p>
deleted config decode_*_{alerts,drops} (use rules only)
</p>
</li>
<li>
<p>
deleted config dump-dynamic-rules-path
</p>
</li>
<li>
<p>
deleted config ipv6_frag (not actually used)
</p>
</li>
<li>
<p>
deleted config threshold and ips rule threshold (&#8594; event_filter)
</p>
</li>
<li>
<p>
eliminated ac-split; must use ac-full-q split-any-any
</p>
</li>
<li>
<p>
frag3 &#8594; defrag, arpspoof &#8594; arp_spoof, sfportscan &#8594; port_scan,
  perfmonitor &#8594; perf_monitor, bo &#8594; back_orifice
</p>
</li>
<li>
<p>
limits like "1234K" are now "limit = 1234, units = <em>K</em>"
</p>
</li>
<li>
<p>
lua field names are (lower) case sensitive; snort.conf largely wasn&#8217;t
</p>
</li>
<li>
<p>
module filenames are not configurable: always &lt;log-dir&gt;/&lt;module-name&gt;&lt;suffix&gt;
  (suffix is determined by module)
</p>
</li>
<li>
<p>
no positional parameters; all name = value
</p>
</li>
<li>
<p>
perf_monitor configuration was simplified
</p>
</li>
<li>
<p>
portscan.detect_ack_scans deleted (exact same as include_midstream)
</p>
</li>
<li>
<p>
removed various run modes - now just one
</p>
</li>
<li>
<p>
frag3 default policy is Linux not bsd
</p>
</li>
<li>
<p>
lowmem* search methods are now in snort_examples
</p>
</li>
<li>
<p>
deleted unused http_inspect stateful mode
</p>
</li>
<li>
<p>
deleted stateless inspection from ftp and telnet
</p>
</li>
<li>
<p>
deleted http and ftp alert options (now strictly rule based)
</p>
</li>
<li>
<p>
preprocessor disabled settings deleted since no longer relevant
</p>
</li>
<li>
<p>
sessions are always created; snort config stateful checks eliminated
</p>
</li>
<li>
<p>
stream5_tcp: prune_log_max deleted; to be replaced with histogram
</p>
</li>
<li>
<p>
stream5_tcp: max_active_responses, min_response_seconds moved to
  active.max_responses, min_interval
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_rules_2">Rules</h3>
<div class="ulist"><ul>
<li>
<p>
all rules must have a sid
</p>
</li>
<li>
<p>
deleted activate / dynamic rules
</p>
</li>
<li>
<p>
deleted metadata engine shared
</p>
</li>
<li>
<p>
deleted metadata: rule-flushing (with PDU flushing rule flushing can cause
  missed attacks, the opposite of its intent)
</p>
</li>
<li>
<p>
deleted unused rule_state.action
</p>
</li>
<li>
<p>
fastpattern_offset, fast_pattern_length
</p>
</li>
<li>
<p>
no ; separated content suboptions
</p>
</li>
<li>
<p>
offset, depth, distance, and within must use a space separator not colon
  (e.g. offset:5; becomes offset 5;)
</p>
</li>
<li>
<p>
rule option sequence: &lt;stub&gt; soid &lt;hidden&gt;
</p>
</li>
<li>
<p>
sid == 0 not allowed
</p>
</li>
<li>
<p>
soid is now a non-metadata option
</p>
</li>
<li>
<p>
content suboptions http_* are now full options and should be place before content
</p>
</li>
<li>
<p>
the following pcre options have been deleted: use sticky buffers instead
    B, U, P, H, M, C, I, D, K, S, Y
</p>
</li>
<li>
<p>
deleted uricontent ips rule option.
  uricontent:"foo" -&#8594;  http_uri; content:"foo"
</p>
</li>
<li>
<p>
deleted urilen raw and norm; must use http_raw_uri and http_uri instead
</p>
</li>
<li>
<p>
deleted unused http_encode option
</p>
</li>
<li>
<p>
urilen replaced with generic bufferlen which applies to current sticky
  buffer
</p>
</li>
<li>
<p>
added optional selector to http_header, e.g. http_header:User-Agent;
</p>
</li>
<li>
<p>
multiline rules w/o \n
</p>
</li>
<li>
<p>
#begin &#8230; #end comments
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_output_2">Output</h3>
<div class="ulist"><ul>
<li>
<p>
alert_fast includes packet data by default
</p>
</li>
<li>
<p>
all text mode outputs default to stdout
</p>
</li>
<li>
<p>
changed default logging mode to -K none
</p>
</li>
<li>
<p>
deleted layer2resets and flexresp2_*
</p>
</li>
<li>
<p>
deleted log_ascii
</p>
</li>
<li>
<p>
general output guideline: don&#8217;t print zero counts
</p>
</li>
<li>
<p>
Snort++ queues decoder and inspector events to the main event queue before ips policy
  is selected; since some events may not be enabled, the queue needs to be sized larger
  than with Snort which used an intermediate queue for decoder events.
</p>
</li>
<li>
<p>
deleted the intermediate http and ftp_telnet event queues
</p>
</li>
<li>
<p>
alert_unified2 and log_unified2 have been deleted
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_http_profiles">HTTP Profiles</h3>
<div class="paragraph"><p>This section describes the changes to the Http Inspect config option "profile".</p></div>
<div class="paragraph"><p>Snort 2.X allows users to select pre-defined HTTP server profiles using the
config option "profile". The user can choose one of five predefined profiles.
When defined, this option will set defaults for other config options within
Http Inspect.</p></div>
<div class="paragraph"><p>With Snort++, the user has the flexibility of defining and fine tuning custom
profiles along with the five predefined profiles.</p></div>
<div class="paragraph"><p>Snort 2.X conf</p></div>
<div class="literalblock">
<div class="content">
<pre><code>preprocessor http_inspect_server: server default \
    profile apache ports { 80 3128 } max_headers 200</code></pre>
</div></div>
<div class="paragraph"><p>Snort 3.0 conf</p></div>
<div class="literalblock">
<div class="content">
<pre><code>http_inspect = { profile = http_profile_apache }
http_inspect.profile.max_headers = 200</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>binder =
{
    {
        when = { proto = 'tcp', ports = '80 3128', },
        use = { type = 'http_inspect' },
    },
}</code></pre>
</div></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<img src="./images/icons/note.png" alt="Note" />
</td>
<td class="content">The "profile" option now that points to a table "http_profile_apache"
which is defined in "snort_defaults.lua" (as follows).</td>
</tr></table>
</div>
<div class="literalblock">
<div class="content">
<pre><code>http_profile_apache =
{
    profile_type = 'apache',
    server_flow_depth = 300,
    client_flow_depth = 300,
    post_depth = -1,
    chunk_length = 500000,
    ascii = true,
    multi_slash = true,
    directory = true,
    webroot = true,
    utf_8 = true,
    apache_whitespace = true,
    non_strict = true,
    normalize_utf = true,
    normalize_javascript = false,
    max_header_length = 0,
    max_headers = 0,
    max_spaces = 200,
    max_javascript_whitespaces = 200,
    whitespace_chars ='0x9 0xb 0xc 0xd'
}</code></pre>
</div></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<img src="./images/icons/note.png" alt="Note" />
</td>
<td class="content">The config option "max_headers" is set to 0 in the profile, but
overwritten by "http_inspect.profile.max_headers = 200".</td>
</tr></table>
</div>
<div class="paragraph"><p>Conversion</p></div>
<div class="paragraph"><p>Snort2lua can convert the existing snort.conf with the "profile" option to
Snort3.0 compatible "profile". Please refer to the Snort2Lua post for more
details.</p></div>
<div class="paragraph"><p>Examples</p></div>
<div class="literalblock">
<div class="content">
<pre><code>"profile all" ==&gt; "profile = http_profile_default"
"profile apache" ==&gt; "profile = http_profile_apache"
"profile iis" ==&gt; "profile = http_profile_iis"
"profile iis_40" ==&gt; "profile = http_profile_iis_40"
"profile iis_50" ==&gt; "profile = http_profile_iis_50"</code></pre>
</div></div>
<div class="paragraph"><p>Defining custom profiles</p></div>
<div class="paragraph"><p>The complete set of Http Inspect config options that a custom profile can
configure can be found by running the following command:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort --help-config http_inspect | grep http_inspect.profile</code></pre>
</div></div>
<div class="paragraph"><p>The new Http Inspect (new_http_inspect) implementation of config options is
still under development.</p></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_snort2lua_2">Snort2Lua</h2>
<div class="sectionbody">
<div class="paragraph"><p>One of the major differences between Snort 2.9.X and Snort 3.0 is the
configuration. Snort 2.9.X configuration files are written in Snort-specific
syntax while Snort 3.0 configuration files are written in Lua. Snort2Lua is a
program specifically designed to convert Snort 2.9.X configuration files into
Lua files that Snort 3.0 can understand.</p></div>
<div class="paragraph"><p>Snort2Lua reads your legacy Snort conf file(s) and generates Snort++ Lua
and rules files.  When running this program, the only mandatory option is
to provide Snort2Lua with a Snort configuration file. The default output
file file is snort.lua, the default error file will be snort.rej, and the
default rule file is the output file (default is snort.lua).  When
Snort2Lua finishes running, the resulting configuration file can be
successfully run as the Snort3.0 configuration file.  The sole exception to
this rule is when Snort2Lua cannot find an included file.  If that occurs,
the file will still be included in the output file and you will need to
manually adjust or comment the file name. Additionally, if the exit code is
not zero, some of the information may not be successfully converted.  Check
the error file for all of the conversion problems.</p></div>
<div class="paragraph"><p>Those errors can occur for a multitude of reasons and are not necessarily
bad.  For instance, Snort2Lua will only convert preprocessors that are
currently supported. Therefore, any unsupported preprocessors or
configuration options including DCERP, SIP, and SMTP, will cause an error
in Snort2Lua since Snort3.0 does not support those preprocessors.
Additionally, any rule options associated with those preprocessors are also
not supported.  Finally, Snort2Lua expects a valid Snort configuration.
Therefore, if the configuration is invalid or has questionable syntax,
Snort2Lua may fail to parse the configuration file or create an invalid
Snort3.0 configuration file.</p></div>
<div class="paragraph"><p>There are a also few peculiarities of Snort2Lua that may be confusing to a
first time user. Specifically, aside from an initial configuration file
(which is specified from the command line or as the file in ‘config
binding’), every file that is included into Snort3.0 must be either a Lua
file or a rule file; the file cannot contain both rules and Lua syntax.
Therefore, when parsing a file specified with the ‘include’ command,
Snort2Lua will output both a Lua file and a rule file.  Additionally, any
line that is a comment in a configuration file will be added in to a
comments section at the bottom of the main configuration file.  Finally,
rules that contain unsupported options will be converted to the best of
Snort2Lua’s capability and then printed as a comment in the rule file.</p></div>
<div class="sect2">
<h3 id="_snort2lua_command_line">Snort2Lua Command Line</h3>
<div class="paragraph"><p>By default, Snort2Lua will attempt to parse every ‘include’ file and every
‘binding’ file.  There is an option to change this functionality.</p></div>
<div class="paragraph"><p>When specifying a rule file with one of the command line options, Snort2Lua
will output all of the converted rules to that specified rule file.
This is especially useful when you are only interesting in
converting rules since there is no Lua syntax in rule files.  There is also
an option that tells Snort2Lua to output every rule for a given
configuration into a single rule file.  Similarly, there is an option
pull all of the Lua syntax from every ‘include’ file into the output file.</p></div>
<div class="paragraph"><p>There are currently three output modes: default, quiet, and differences.
As expected, quiet mode produces a Snort++ configuration.  All errors
(aside from Fatal Snort2Lua errors), differences, and comments will omitted
from the final output file.  Default mode will print everything. That mean
you will be able to see exactly what changes have occurred between Snort and
Snort++ in addition to the new syntax, the original file&#8217;s comments, and
all errors that have occurred.  Finally, differences mode will not actually
output a valid Snort3.0 configuration.  Instead, you can see the exact
options from the input configuration that have changed.</p></div>
<div class="sect3">
<h4 id="_usage_snort2lua_options_8230_c_lt_snort_conf_gt_8230">Usage: snort2lua [OPTIONS]&#8230; -c &lt;snort_conf&gt; &#8230;</h4>
<div class="paragraph"><p>Converts the Snort configuration file specified by the -c or --conf-file
options into a Snort++ configuration file</p></div>
<div class="sect4">
<h5 id="_options">Options:</h5>
<div class="ulist"><ul>
<li>
<p>
<strong>-?</strong>                show usage
</p>
</li>
<li>
<p>
<strong>-h</strong>                this overview of snort2lua
</p>
</li>
<li>
<p>
<strong>-a</strong>                default option.  print all data
</p>
</li>
<li>
<p>
<strong>-c &lt;snort_conf&gt;</strong>   The Snort &lt;snort_conf&gt; file to convert
</p>
</li>
<li>
<p>
<strong>-d</strong>                print the differences, and only the differences, between the
                    Snort and Snort++ configurations to the &lt;out_file&gt;
</p>
</li>
<li>
<p>
<strong>-e &lt;error_file&gt;</strong>   output all errors to &lt;error_file&gt;
</p>
</li>
<li>
<p>
<strong>-i</strong>                if &lt;snort_conf&gt; file contains any &lt;include_file&gt; or
                    &lt;policy_file&gt; (i.e. <em>include path/to/conf/other_conf</em>), do
                    NOT parse those files
</p>
</li>
<li>
<p>
<strong>-m</strong>                add a remark to the end of every converted rule
</p>
</li>
<li>
<p>
<strong>-o &lt;out_file&gt;</strong>     output the new Snort++ lua configuration to &lt;out_file&gt;
</p>
</li>
<li>
<p>
<strong>-q</strong>                quiet mode. Only output valid confiration information to the
                    &lt;out_file&gt;
</p>
</li>
<li>
<p>
<strong>-r &lt;rule_file&gt;</strong>    output any converted rule to &lt;rule_file&gt;
</p>
</li>
<li>
<p>
<strong>-s</strong>                when parsing &lt;include_file&gt;, write &lt;include_file&gt;'s rules to
                    &lt;rule_file&gt;. Meaningles if <em>-i</em> provided
</p>
</li>
<li>
<p>
<strong>-t</strong>                when parsing &lt;include_file&gt;, write &lt;include_file&gt;'s
                    information, excluding rules, to &lt;out_file&gt;. Meaningles if
                    <em>-i</em> provided
</p>
</li>
<li>
<p>
<strong>-V</strong>                Print the current Snort2Lua version
</p>
</li>
<li>
<p>
<strong>--conf-file</strong>       Same as <em>-c</em>. A Snort &lt;snort_conf&gt; file which will be
                    converted
</p>
</li>
<li>
<p>
<strong>--dont-parse-includes</strong>
                    Same as <em>-p</em>. if &lt;snort_conf&gt; file contains any
                    &lt;include_file&gt; or &lt;policy_file&gt; (i.e. <em>include
                    path/to/conf/other_conf</em>), do NOT parse those files
</p>
</li>
<li>
<p>
<strong>--error-file=&lt;error_file&gt;</strong>
                    Same as <em>-e</em>. output all errors to &lt;error_file&gt;
</p>
</li>
<li>
<p>
<strong>--help</strong>            Same as <em>-h</em>. this overview of snort2lua
</p>
</li>
<li>
<p>
<strong>--markup</strong>          print help in asciidoc compatible format
</p>
</li>
<li>
<p>
<strong>--output-file=&lt;out_file&gt;</strong>
                    Same as <em>-o</em>. output the new Snort++ lua configuration to
                    &lt;out_file&gt;
</p>
</li>
<li>
<p>
<strong>--print-all</strong>       Same as <em>-a</em>. default option.  print all data
</p>
</li>
<li>
<p>
<strong>--print-differences</strong>  Same as <em>-d</em>. output the differences, and only the
                    differences, between the Snort and Snort++ configurations to
                    the &lt;out_file&gt;
</p>
</li>
<li>
<p>
<strong>--quiet</strong>           Same as <em>-q</em>. quiet mode. Only output valid confiration
                    information to the &lt;out_file&gt;
</p>
</li>
<li>
<p>
<strong>--remark</strong>          same as <em>-m</em>.  add a remark to the end of every converted
                    rule
</p>
</li>
<li>
<p>
<strong>--rule-file=&lt;rule_file&gt;</strong>
                    Same as <em>-r</em>. output any converted rule to &lt;rule_file&gt;
</p>
</li>
<li>
<p>
<strong>--single-conf-file</strong>  Same as <em>-t</em>. when parsing &lt;include_file&gt;, write
                    &lt;include_file&gt;'s information, excluding rules, to
                    &lt;out_file&gt;
</p>
</li>
<li>
<p>
<strong>--single-rule-file</strong>  Same as <em>-s</em>. when parsing &lt;include_file&gt;, write
                    &lt;include_file&gt;'s rules to &lt;rule_file&gt;.
</p>
</li>
<li>
<p>
<strong>--version</strong>         Same as <em>-V</em>. Print the current Snort2Lua version
</p>
</li>
</ul></div>
</div>
<div class="sect4">
<h5 id="_required_option">Required option:</h5>
<div class="ulist"><ul>
<li>
<p>
A Snort configuration file to convert. Set with either <em>-c</em> or <em>--conf-file</em>
</p>
</li>
</ul></div>
</div>
<div class="sect4">
<h5 id="_default_values">Default values:</h5>
<div class="ulist"><ul>
<li>
<p>
&lt;out_file&gt;   =  snort.lua
</p>
</li>
<li>
<p>
&lt;rule_file&gt;  =  &lt;out_file&gt; = snort.lua.  Rules are written to the <em>local_rules</em> variable in the &lt;out_file&gt;
</p>
</li>
<li>
<p>
&lt;error_file&gt; =  snort.rej.  This file will not be created in quiet mode.
</p>
</li>
</ul></div>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_known_problems">Known Problems</h3>
<div class="ulist"><ul>
<li>
<p>
Any Snort ‘string’ which is dependent on a variable will no longer have
that variable in the Lua string.
</p>
</li>
<li>
<p>
Snort2Lua currently does not handle variables well. First, that means
variables will not always be parsed correctly.  Second, sometimes a
variables value will be outoput in the lua file rather than a variable
For instance, if Snort2Lua attempted to convert the line
<em>include $RULE_PATH/example.rule</em>, the output may ouput
<em>include /etc/rules/example.rule</em> instead.
</p>
</li>
<li>
<p>
When Snort2Lua parses a ‘binding’ configuration file, the rules and
configuration will automatically be combined into the same file.  Also, the
new files name will automatically become the old file’s name with a .lua
extension.  There is currently no way to specify or change that files name.
</p>
</li>
<li>
<p>
If a rule&#8217;s action is a custom ruletype, that rule action will be silently
converted to the rultype&#8217;s <em>type</em>. No warnings or errors are currently
emmitted. Additionally, the custom ruletypes outputs will be silently
discarded.
</p>
</li>
<li>
<p>
If the original configuration contains a binding that points to another
file and the binding file contains an error, Snort2Lua will output the
number of rejects for the binding file in addition to the number of
rejects in the main file.  The two numbers will eventually be combined into
one output.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_usage">Usage</h3>
<div class="paragraph"><p>Snort2Lua is included in the Snort 3.0 distribution. The Snort2Lua source code
is located in the tools/snort2lua directory. The program is automatically built
and installed.</p></div>
<div class="paragraph"><p>Translating your configuration</p></div>
<div class="paragraph"><p>To run Snort2Lua, the only requirement is a file containing Snort 2.9.X syntax.
Assuming your configuration file is named snort.conf, run the command</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort2lua –c snort.conf</code></pre>
</div></div>
<div class="paragraph"><p>Snort2Lua will output a file named snort.lua. Assuming your snort.conf file is
a valid Snort 2.9.X configuration file, than the resulting snort.lua file will
always be a valid Snort 3.0 configuration file; any errors that occur are
because Snort 3.0 currently does not support all of the Snort 2.9.X options.</p></div>
<div class="paragraph"><p>Every keyword from the Snort configuration can be found in the output file. If
the option or keyword has changed, then a comment containing both the option or
keyword’s old name and new name will be present in the output file.</p></div>
<div class="paragraph"><p>Translating a rule file</p></div>
<div class="paragraph"><p>Snort2Lua can also accommodate translating individual rule files. Assuming the
Snort 2.9.X rule file is named snort.rules and you want the new rule file to be
name updated.rules, run the command</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort2lua –c snort.rules -r updated.rules</code></pre>
</div></div>
<div class="paragraph"><p>Snort2Lua will output a file named updated.rules. That file, updated.rules,
will always be a valid Snort 3.0 rule file. Any rule that contains unsupported
options will be a comment in the output file.</p></div>
<div class="paragraph"><p>Understanding the Output</p></div>
<div class="paragraph"><p>Although Snort2Lua outputs very little to the console, there are several things
that occur when Snort2Lua runs.  This is a list of Snort2Lua outputs.</p></div>
<div class="paragraph"><p><em>The console</em>.   Every line that Snort2Lua is unable to translate from the Snort
2.9.X format to the Snort 3.0 format is considered an error. Upon exiting,
Snort2Lua will print the number of errors that occurred. Snort2Lua will also
print the name of the error file.</p></div>
<div class="paragraph"><p><em>The output file</em>.  As previously mentioned, Snort2Lua will create a Lua file
with valid Snort 3.0 syntax.  The default Lua file is named snort.lua.  This
file is the equivalent of your main Snort 2.9.X configuration file.</p></div>
<div class="paragraph"><p><em>The rule file</em>.   By default, all rules will be printed to the Lua file.
However, if a rule file is specified on the command line, any rules found in
the Snort 2.9.X configuration will be written to the rule file instead</p></div>
<div class="paragraph"><p><em>The error file</em>.  By default, the error file is snort.rej. It will only be
created if errors exist.  Every error referenced on the command line can be
found in this file.  There are two reasons an error can occur.</p></div>
<div class="ulist"><ul>
<li>
<p>
The Snort 2.9.X configuration file has invalid syntax. If Snort 2.9.X cannot
  parse the configuration file, neither can Snort2Lua.  In the example below,
  Snort2Lua could not convert the line <em>config bad_option</em>.  Since that is not
  valid Snort 2.9.X syntax, this is a syntax error.
</p>
</li>
<li>
<p>
The Snort 2.9.X configuration file contains preprocessors and rule options
  that are not supported in Snort 3.0.  If Snort 2.9.X can parse a line that
  Snort2Lua cannot parse, than Snort 3.0 does not support something in the line.
  As Snort 3.0 begins supporting these preprocessors and rule options, Snort2Lua
  will also begin translating these lines. One example of such an error is
  dcerpc2.
</p>
</li>
</ul></div>
<div class="paragraph"><p>Additional .lua and .rules files. Every time Snort2Lua parses the include or
binding keyword, the program will attempt to parse the file referenced by the
keyword.  Snort2Lua will then create one or two new files.  The new files will
have a .lua or .rules extension appended to the original filename.</p></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_extending_snort">Extending Snort++</h2>
<div class="sectionbody">
<div class="sect2">
<h3 id="_plugins">Plugins</h3>
<div class="paragraph"><p>Snort++ uses a variety of plugins to accomplish much of its processing
objectives, including:</p></div>
<div class="ulist"><ul>
<li>
<p>
Codec - to decode and encode packets
</p>
</li>
<li>
<p>
Inspector - like the prior preprocessors, for normalization, etc.
</p>
</li>
<li>
<p>
IpsOption - for detection in Snort++ rules
</p>
</li>
<li>
<p>
IpsAction - for custom actions
</p>
</li>
<li>
<p>
Logger - for handling events
</p>
</li>
<li>
<p>
Mpse - for fast pattern matching
</p>
</li>
<li>
<p>
So - for dynamic rules
</p>
</li>
</ul></div>
<div class="paragraph"><p>Plugins have an associated API defined for each type, all of which share a
common <em>header</em>, called the BaseApi.  A dynamic library makes its plugins
available by exporting the snort_plugins symbol, which is a null terminated
array of BaseApi pointers.</p></div>
<div class="paragraph"><p>The BaseApi includes type, name, API version, plugin version, and function
pointers for constructing and destructing a Module.  The specific API add
various other data and functions for their given roles.</p></div>
</div>
<div class="sect2">
<h3 id="_modules_2">Modules</h3>
<div class="paragraph"><p>The Module is pervasive in Snort+<code>.  It is how everything, including
plugins, are configured.  It also provides access to builtin rules.  And as
the glue that binds functionality to Snort</code>+, the capabilities of a Module
are expected to grow to include statistics support, etc.</p></div>
<div class="paragraph"><p>Module configuration is handled by a list of Parameters.  Most parameters
can be validated by the framework, which means for example that conversion
from string to number is done in exactly one place.  Providing the builtin
rules allows the documentation to include them automatically and also allows
for autogenerating the rules at startup.</p></div>
<div class="paragraph"><p>If we are defining a new Inspector called, say, gadget, it might be
configured in snort.lua like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>gadget =
{
    brain = true,
    claw = 3
}</code></pre>
</div></div>
<div class="paragraph"><p>When the gadget table is processed, Snort++ will look for a module called
gadget.  If that Module has an associated API, it will be used to configure
a new instance of the plugin.  In this case, a GadgetModule would be
instantiated, brain and claw would be set, and the Module instance would be
passed to the GadgetInspector constructor.</p></div>
<div class="paragraph"><p>Module has three key virtual methods:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>begin()</strong> - called when Snort++ starts processing the associated Lua
  table.  This is a good place to allocate any required data and set
  defaults.
</p>
</li>
<li>
<p>
<strong>set()</strong> - called to set each parameter after validation.
</p>
</li>
<li>
<p>
<strong>end()</strong> - called when Snort++ finishes processing the associated Lua
  table.  This is where additional integrity checks of related parameters
  should be done.
</p>
</li>
</ul></div>
<div class="paragraph"><p>The configured Module is passed to the plugin constructor which pulls the
configuration data from the Module.  For non-trivial configurations, the
working paradigm is that Module hands a pointer to the configured data to
the plugin instance which takes ownership.</p></div>
<div class="paragraph"><p>Note that there is at most one instance of a given Module, even if multiple
plugin instances are created which use that Module.  (Multiple instances
require Snort++ binding configuration.)</p></div>
</div>
<div class="sect2">
<h3 id="_inspectors">Inspectors</h3>
<div class="paragraph"><p>There are several types of inspector, which determines which inspectors are
executed when:</p></div>
<div class="ulist"><ul>
<li>
<p>
IT_BINDER - determines which inspectors apply to given flows
</p>
</li>
<li>
<p>
IT_WIZARD - determines which service inspector to use if none explicitly
  bound
</p>
</li>
<li>
<p>
IT_PACKET - used to process all packets before session and service processing
  (e.g. normalize)
</p>
</li>
<li>
<p>
IT_NETWORK - processes packets w/o service (e.g. arp_spoof, back_orifice)
</p>
</li>
<li>
<p>
IT_STREAM - for flow tracking, ip defrag, and tcp reassembly
</p>
</li>
<li>
<p>
IT_SERVICE - for http, ftp, telnet, etc.
</p>
</li>
<li>
<p>
IT_PROBE - process all packets after all the above (e.g. perf_monitor,
  port_scan)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_codecs">Codecs</h3>
<div class="paragraph"><p>The Snort3.0 Codecs decipher raw packets. These Codecs are now completely
pluggable; almost every Snort3.0 Codec can be built dynamically and replaced
with an alternative, customized Codec. The pluggable nature has also made it
easier to build new Codecs for protocols without having to touch the Snort3.0
code base.</p></div>
<div class="paragraph"><p>The first step in creating a Codec is defining its class and protocol. Every
Codec must inherit from the Snort3.0 Codec class defined in
"framework/codec.h". The following is an example Codec named "example" and has
an associated struct that is 14 bytes long.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>#include &lt;cstdint&gt;
#include &lt;arpa/inet.h&gt;
#include “framework/codec.h”
#include "main/snort_types.h"</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>#define EX_NAME “example”
#define EX_HELP “example codec help string”</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>struct Example
{
    uint8_t dst[6];
    uint8_t src[6];
    uint16_t ethertype;</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>    static inline uint8_t size()
    { return 14; }
}</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>class ExCodec : public Codec
{
public:
    ExCodec() : Codec(EX_NAME) { }
    ~ExCodec() { }</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>    bool decode(const RawData&amp;, CodecData&amp;, DecodeData&amp;) override;
    void get_protocol_ids(std::vector&lt;uint16_t&gt;&amp;) override;
};</code></pre>
</div></div>
<div class="paragraph"><p>After defining ExCodec, the next step is adding the Codec&#8217;s decode
functionality. The function below does this by implementing a valid decode
function. The first parameter, which is the RawData struct, provides both a
pointer to the raw data that has come from a wire and the length of that raw
data. The function takes this information and validates that there are enough
bytes for this protocol. If the raw data&#8217;s length is less than 14 bytes, the
function returns false and Snort3.0 discards the packet; the packet is neither
inspected nor processed. If the length is greater than 14 bytes, the function
populates two fields in the CodecData struct, next_prot_id and lyr_len. The
lyr_len field tells Snort3.0 the number of bytes that this layer contains. The
next_prot_id field provides Snort3.0 the value of the next EtherType or IP
protocol number.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>bool ExCodec::decode(const RawData&amp; raw, CodecData&amp; codec, DecodeData&amp;)
{
   if ( raw.len &lt; Example::size() )
       return false;</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>    const Example* const ex = reinterpret_cast&lt;const Example*&gt;(raw.data);
    codec.next_prot_id = ntohs(ex-&gt;ethertype);
    codec.lyr_len = ex-&gt;size();
    return true;
}</code></pre>
</div></div>
<div class="paragraph"><p>For instance, assume this decode function receives the following raw data with
a validated length of 32 bytes:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>00 11 22 33 44 55 66 77    88 99 aa bb 08 00 45 00
00 38 00 01 00 00 40 06    5c ac 0a 01 02 03 0a 09</code></pre>
</div></div>
<div class="paragraph"><p>The Example struct&#8217;s EtherType field is the 13 and 14 bytes. Therefore, this
function tells Snort that the next protocol has an EtherType of 0x0800.
Additionally, since the lyr_len is set to 14, Snort knows that the next
protocol begins 14 bytes after the beginning of this protocol. The Codec with
EtherType 0x0800, which happens to be the IPv4 Codec, will receive the
following data with a validated length of 18 ( == 32 – 14):</p></div>
<div class="literalblock">
<div class="content">
<pre><code>45 00 00 38 00 01 00 00    40 06 5c ac 0a 01 02 03
0a 09</code></pre>
</div></div>
<div class="paragraph"><p>How does Snort3.0 know that the IPv4 Codec has an EtherType of 0x0800? The
Codec class has a second virtual function named get_protocol_ids(). When
implementing the function, a Codec can register for any number of values
between 0x0000 - 0xFFFF. Then, if the next_proto_id is set to a value for which
this Codec has registered, this Codec&#8217;s decode function will be called. As a
general note, the protocol ids between [0, 0x00FF] are IP protocol numbers,
[0x0100, 0x05FF] are custom types, and [0x0600, 0xFFFF] are EtherTypes.</p></div>
<div class="paragraph"><p>For example, in the get_protocol_ids function below, the ExCodec registers for
the protocols numbers 17, 787, and 2054. 17 happens to be the protocol number
for UDP while 2054 is ARP&#8217;s EtherType. Therefore, this Codec will now attempt
to decode UDP and ARP data. Additionally, if any Codec sets the
next_protocol_id to 787, ExCodec&#8217;s decode function will be called. Some custom
protocols are already defined in the file "protocols/protocol_ids.h"</p></div>
<div class="literalblock">
<div class="content">
<pre><code>void ExCodec::get_protocol_ids(std::vector&lt;uint16_t&gt;&amp;v)
{
    v.push_back(0x0011); // == 17  == UDP
    v.push_back(0x1313); // == 787  == custom
    v.push_back(0x0806); // == 2054  == ARP
}</code></pre>
</div></div>
<div class="paragraph"><p>To register a Codec for Data Link Type&#8217;s rather than protocols, the function
get_data_link_type() can be similarly implemented.</p></div>
<div class="paragraph"><p>The final step to creating a pluggable Codec is the snort_plugins array. This
array is important because when Snort3.0 loads a dynamic library, the program
only find plugins that are inside the snort_plugins array. In other words, if a
plugin has not been added to the snort_plugins array, that plugin will not be
loaded into Snort3.0.</p></div>
<div class="paragraph"><p>Although the details will not be covered in this post, the following code
snippet is a basic CodecApi that Snort3.0 can load. This snippet can be copied
and used with only three minor changes. First, in the function ctor, ExCodec
should be replaced with the name of the Codec that is being built. Second,
EX_NAME must match the Codec&#8217;s name or Snort will be unable to load this Codec.
Third, EX_HELP should be replaced with the general description of this Codec.
Once this code snippet has been added, ExCodec is ready to be compiled and
plugged into Snort3.0.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>static Codec* ctor(Module*)
{ return new ExCodec; }</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>static void dtor(Codec *cd)
{ delete cd; }</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>static const CodecApi ex_api =
{
    {
        PT_CODEC,
        EX_NAME,
        EX_HELP,
        CDAPI_PLUGIN_V0,
        0,
        nullptr,
        nullptr,
    },
    nullptr, // pointer to a function called during Snort's startup.
    nullptr, // pointer to a function called during Snort's exit.
    nullptr, // pointer to a function called during thread's startup.
    nullptr, // pointer to a function called during thread's destruction.
    ctor, // pointer to the codec constructor.
    dtor, // pointer to the codec destructor.
};</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>SO_PUBLIC const BaseApi* snort_plugins[] =
{
    &amp;ex_api.base,
    nullptr
};</code></pre>
</div></div>
<div class="paragraph"><p>Two example Codecs are available in the extra directory on git and the extra
tarball on the Snort3.0 page. One of those examples is the Token Ring Codec
while the other example is the PIM Codec.</p></div>
<div class="paragraph"><p>As a final note, there are four more virtual functions that a Codec should
implement: encode, format, update, and log. If the functions are not
implemented Snort will not throw any errors. However, Snort may also be unable
to accomplish some of its basic functionality.</p></div>
<div class="ulist"><ul>
<li>
<p>
encode is called whenever Snort actively responds and needs to builds a
  packet, i.e. whenever a rule using an IPS ACTION like react, reject, or rewrite
  is triggered. This function is used to build the response packet protocol by
  protocol.
</p>
</li>
<li>
<p>
format is called when Snort is rebuilding a packet. For instance, every time
  Snort reassembles a TCP stream or IP fragment, format is called. Generally,
  this function either swaps any source and destination fields in the protocol or
  does nothing.
</p>
</li>
<li>
<p>
update is similar to format in that it is called when Snort is reassembling a
  packet. Unlike format, this function only sets length fields.
</p>
</li>
<li>
<p>
log is called when either the log_codecs logger or a custom logger that calls
  PacketManager::log_protocols is used when running Snort3.0.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ips_actions">IPS Actions</h3>
<div class="paragraph"><p>Action plugins specify a builtin action in the API which is used to
determine verdict.  (Conversely, builtin actions don&#8217;t have an associated
plugin function.)</p></div>
</div>
<div class="sect2">
<h3 id="_developers_guide">Developers Guide</h3>
<div class="paragraph"><p>Run doc/dev_guide.sh to generate /tmp/dev_guide.html, an annotated guide to
the source tree.</p></div>
</div>
<div class="sect2">
<h3 id="_piglet_test_harness">Piglet Test Harness</h3>
<div class="paragraph"><p>In order to assist with plugin development, an experimental mode called "piglet" mode
is provided. With piglet mode, you can call individual methods for a specific plugin.
The piglet tests are specified as Lua scripts. Each piglet test script defines a test
for a specific plugin.</p></div>
<div class="paragraph"><p>Here is a minimal example of a piglet test script for the IPv4 Codec plugin:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>plugin =
{
    type = "piglet",
    name = "codec::ipv4",
    use_defaults = true,
    test = function()
        local daq_header = DAQHeader.new()
        local raw_buffer = RawBuffer.new("some data")
        local codec_data = CodecData.new()
        local decode_data = DecodeData.new()</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>        return Codec.decode(
            daq_header,
            raw_buffer,
            codec_data,
            decode_data
        )
    end
}</code></pre>
</div></div>
<div class="paragraph"><p>To run snort in piglet mode, first build snort with the BUILD_PIGLET option turned on
(pass the flag -DBUILD_PIGLET:BOOL=ON in cmake).</p></div>
<div class="paragraph"><p>Then, run the following command:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort --script-path $test_scripts --piglet</code></pre>
</div></div>
<div class="paragraph"><p>(where $test_scripts is the directory containing your piglet tests).</p></div>
<div class="paragraph"><p>The test runner will generate a check-like output, indicating the
the results of each test script.</p></div>
</div>
<div class="sect2">
<h3 id="_piglet_lua_api">Piglet Lua API</h3>
<div class="paragraph"><p>This section documents the API that piglet exposes to Lua.
Refer to the piglet directory in the source tree for examples of usage.</p></div>
<div class="paragraph"><p>Note: Because of the differences between the Lua and C++ data model and type
system, not all parameters map directly to the parameters of the underlying
C\++ member functions. Every effort has been made to keep the mappings consist,
but there are still some differences. They are documented below.</p></div>
<div class="sect3">
<h4 id="_plugin_instances">Plugin Instances</h4>
<div class="paragraph"><p>For each test, piglet instantiates plugin specified in the <code>name</code> field of the
<code>plugin</code> table. The virtual methods of the instance are exposed in a table
unique to each plugin type. The name of the table is the CamelCase name of the
plugin type.</p></div>
<div class="paragraph"><p>For example, codec plugins have a virtual method called <code>decode</code>. This method
is called like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>Codec.decode(...)</code></pre>
</div></div>
<div class="paragraph"><p><strong>Codec</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>Codec.get_data_link_type() &#8594; { int, int, &#8230; }</code>
</p>
</li>
<li>
<p>
<code>Codec.get_protocol_ids() &#8594; { int, int, &#8230; }</code>
</p>
</li>
<li>
<p>
<code>Codec.decode(DAQHeader, RawBuffer, CodecData, DecodeData) &#8594; bool</code>
</p>
</li>
<li>
<p>
<code>Codec.log(RawBuffer, uint[lyr_len])</code>
</p>
</li>
<li>
<p>
<code>Codec.encode(RawBuffer, EncState, Buffer) &#8594; bool</code>
</p>
</li>
<li>
<p>
<code>Codec.update(uint[flags_hi], uint[flags_lo], RawBuffer, uint[lyr_len] &#8594; int</code>
</p>
</li>
<li>
<p>
<code>Codec.format(bool[reverse], RawBuffer, DecodeData)</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p>Differences:</p></div>
<div class="ulist"><ul>
<li>
<p>
In <code>Codec.update()</code>, the <code>(uint64_t) flags</code> parameter has been split into
<code>flags_hi</code> and <code>flags_lo</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><strong>Inspector</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>Inspector.configure()</code>
</p>
</li>
<li>
<p>
<code>Inspector.tinit()</code>
</p>
</li>
<li>
<p>
<code>Inspector.tterm()</code>
</p>
</li>
<li>
<p>
<code>Inspector.likes(Packet)</code>
</p>
</li>
<li>
<p>
<code>Inspector.eval(Packet)</code>
</p>
</li>
<li>
<p>
<code>Inspector.clear(Packet)</code>
</p>
</li>
<li>
<p>
<code>Inspector.get_buf_from_key(string[key], Packet, RawBuffer) &#8594; bool</code>
</p>
</li>
<li>
<p>
<code>Inspector.get_buf_from_id(uint[id], Packet, RawBuffer) &#8594; bool</code>
</p>
</li>
<li>
<p>
<code>Inspector.get_buf_from_type(uint[type], Packet, RawBuffer) &#8594; bool</code>
</p>
</li>
<li>
<p>
<code>Inspector.get_splitter(bool[to_server]) &#8594; StreamSplitter</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p>Differences:
* In <code>Inspector.configure()</code>, the <code>SnortConfig*</code> parameter is passed implicitly.
* the overloaded <code>get_buf()</code> member function has been split into three separate methods.</p></div>
<div class="paragraph"><p><strong>IpsOption</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>IpsOption.hash() &#8594; int</code>
</p>
</li>
<li>
<p>
<code>IpsOption.is_relative() &#8594; bool</code>
</p>
</li>
<li>
<p>
<code>IpsOption.fp_research() &#8594; bool</code>
</p>
</li>
<li>
<p>
<code>IpsOption.get_cursor_type() &#8594; int</code>
</p>
</li>
<li>
<p>
<code>IpsOption.eval(Cursor, Packet) &#8594; int</code>
</p>
</li>
<li>
<p>
<code>IpsOption.action(Packet)</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><strong>IpsAction</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>IpsAction.exec(Packet)</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><strong>Logger</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>Logger.open()</code>
</p>
</li>
<li>
<p>
<code>Logger.close()</code>
</p>
</li>
<li>
<p>
<code>Logger.reset()</code>
</p>
</li>
<li>
<p>
<code>Logger.alert(Packet, string[message], Event)</code>
</p>
</li>
<li>
<p>
<code>Logger.log(Packet, string[message], Event)</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><strong>SearchEngine</strong></p></div>
<div class="paragraph"><p>Currently, SearchEngine does not expose any methods.</p></div>
<div class="paragraph"><p><strong>SoRule</strong></p></div>
<div class="paragraph"><p>Currently, SoRule does not expose any methods.</p></div>
<div class="sect4">
<h5 id="_interface_objects">Interface Objects</h5>
<div class="paragraph"><p>Many of the plugins take C++ classes and structs as arguments. These objects
are exposed to the Lua API as Lua userdata. Exposed objects are instantiated
by calling the <code>new</code> method from each object&#8217;s method table.</p></div>
<div class="paragraph"><p>For example, the DecodeData object can be instantiated and exposed to Lua
like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>local decode_data = DecodeData.new(...)</code></pre>
</div></div>
<div class="paragraph"><p>Each object also exposes useful methods for getting and setting member variables,
and calling the C++ methods contained in the the object. These methods can
be accessed using the <code>:</code> accessor syntax:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>decode_data:set({ sp = 80, dp = 3500 })</code></pre>
</div></div>
<div class="paragraph"><p>Since this is just syntactic sugar for passing the object as the first parameter
of the function <code>DecodeData.set</code>, an equivalent form is:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>decode_data.set(decode_data, { sp = 80, dp = 3500 })</code></pre>
</div></div>
<div class="paragraph"><p>or even:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>DecodeData.set(decode_data, { sp = 80, dp = 3500 })</code></pre>
</div></div>
<div class="paragraph"><p><strong>Buffer</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>Buffer.new(string[data]) &#8594; Buffer</code>
</p>
</li>
<li>
<p>
<code>Buffer.new(uint[length]) &#8594; Buffer</code>
</p>
</li>
<li>
<p>
<code>Buffer.new(RawBuffer) &#8594; Buffer</code>
</p>
</li>
<li>
<p>
<code>Buffer:allocate(uint[length]) &#8594; bool</code>
</p>
</li>
<li>
<p>
<code>Buffer:clear()</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><strong>CodecData</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>CodecData.new() &#8594; CodecData</code>
</p>
</li>
<li>
<p>
<code>CodecData.new(uint[next_prot_id]) &#8594; CodecData</code>
</p>
</li>
<li>
<p>
<code>CodecData.new(fields) &#8594; CodecData</code>
</p>
</li>
<li>
<p>
<code>CodecData:get() &#8594; fields</code>
</p>
</li>
<li>
<p>
<code>CodecData:set(fields)</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><code>fields</code> is a table with the following contents:</p></div>
<div class="ulist"><ul>
<li>
<p>
<code>next_prot_id</code>
</p>
</li>
<li>
<p>
<code>lyr_len</code>
</p>
</li>
<li>
<p>
<code>invalid_bytes</code>
</p>
</li>
<li>
<p>
<code>proto_bits</code>
</p>
</li>
<li>
<p>
<code>codec_flags</code>
</p>
</li>
<li>
<p>
<code>ip_layer_cnt</code>
</p>
</li>
<li>
<p>
<code>ip6_extension_count</code>
</p>
</li>
<li>
<p>
<code>curr_ip6_extension</code>
</p>
</li>
<li>
<p>
<code>ip6_csum_proto</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><strong>Cursor</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>Cursor.new() &#8594; Cursor</code>
</p>
</li>
<li>
<p>
<code>Cursor.new(Packet) &#8594; Cursor</code>
</p>
</li>
<li>
<p>
<code>Cursor.new(string[data]) &#8594; Cursor</code>
</p>
</li>
<li>
<p>
<code>Cursor.new(RawBuffer) &#8594; Cursor</code>
</p>
</li>
<li>
<p>
<code>Cursor:reset()</code>
</p>
</li>
<li>
<p>
<code>Cursor:reset(Packet)</code>
</p>
</li>
<li>
<p>
<code>Cursor:reset(string[data])</code>
</p>
</li>
<li>
<p>
<code>Cursor:reset(RawBuffer)</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><strong>DAQHeader</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>DAQHeader.new() &#8594; DAQHeader</code>
</p>
</li>
<li>
<p>
<code>DAQHeader.new(fields) &#8594; DAQHeader</code>
</p>
</li>
<li>
<p>
<code>DAQHeader:get() &#8594; fields</code>
</p>
</li>
<li>
<p>
<code>DAQHeader:set(fields)</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><code>fields</code> is a table with the following contents:</p></div>
<div class="ulist"><ul>
<li>
<p>
<code>caplen</code>
</p>
</li>
<li>
<p>
<code>pktlen</code>
</p>
</li>
<li>
<p>
<code>ingress_index</code>
</p>
</li>
<li>
<p>
<code>egress_index</code>
</p>
</li>
<li>
<p>
<code>ingress_group</code>
</p>
</li>
<li>
<p>
<code>egress_group</code>
</p>
</li>
<li>
<p>
<code>flags</code>
</p>
</li>
<li>
<p>
<code>opaque</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><strong>DecodeData</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>DecodeData.new() &#8594; DecodeData</code>
</p>
</li>
<li>
<p>
<code>DecodeData.new(fields) &#8594; DecodeData</code>
</p>
</li>
<li>
<p>
<code>DecodeData:reset()</code>
</p>
</li>
<li>
<p>
<code>DecodeData:get() &#8594; fields</code>
</p>
</li>
<li>
<p>
<code>DecodeData:set(fields)</code>
</p>
</li>
<li>
<p>
<code>DecodeData:set_ipv4_hdr(RawBuffer, uint[offset])</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><code>fields</code> is a table with the following contents:</p></div>
<div class="ulist"><ul>
<li>
<p>
<code>sp</code>
</p>
</li>
<li>
<p>
<code>dp</code>
</p>
</li>
<li>
<p>
<code>decode_flags</code>
</p>
</li>
<li>
<p>
<code>type</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><strong>EncState</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>EncState.new() &#8594; EncState</code>
</p>
</li>
<li>
<p>
<code>EncState.new(uint[flags_lo]) &#8594; EncState</code>
</p>
</li>
<li>
<p>
<code>EncState.new(uint[flags_lo], uint[flags_hi]) &#8594; EncState</code>
</p>
</li>
<li>
<p>
<code>EncState.new(uint[flags_lo], uint[flags_hi], uint[next_proto]) &#8594; EncState</code>
</p>
</li>
<li>
<p>
<code>EncState.new(uint[flags_lo], uint[flags_hi], uint[next_proto], uint[ttl]) &#8594; EncState</code>
</p>
</li>
<li>
<p>
<code>EncState.new(uint[flags_lo], uint[flags_hi], uint[next_proto], uint[ttl], uint[dsize]) &#8594; EncState</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><strong>Event</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>Event.new() &#8594; Event</code>
</p>
</li>
<li>
<p>
<code>Event.new(fields) &#8594; Event</code>
</p>
</li>
<li>
<p>
<code>Event:get() &#8594; fields</code>
</p>
</li>
<li>
<p>
<code>Event:set(fields)</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><code>fields</code> is a table with the following contents:</p></div>
<div class="ulist"><ul>
<li>
<p>
<code>event_id</code>
</p>
</li>
<li>
<p>
<code>event_reference</code>
</p>
</li>
<li>
<p>
<code>sig_info</code>
</p>
<div class="ulist"><ul>
<li>
<p>
<code>generator</code>
</p>
</li>
<li>
<p>
<code>id</code>
</p>
</li>
<li>
<p>
<code>rev</code>
</p>
</li>
<li>
<p>
<code>class_id</code>
</p>
</li>
<li>
<p>
<code>priority</code>
</p>
</li>
<li>
<p>
<code>text_rule</code>
</p>
</li>
<li>
<p>
<code>num_services</code>
</p>
</li>
</ul></div>
</li>
</ul></div>
<div class="paragraph"><p><strong>Flow</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>Flow.new() &#8594; Flow</code>
</p>
</li>
<li>
<p>
<code>Flow:reset()</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><strong>Packet</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>Packet.new() &#8594; Packet</code>
</p>
</li>
<li>
<p>
<code>Packet.new(string[data]) &#8594; Packet</code>
</p>
</li>
<li>
<p>
<code>Packet.new(uint[size]) &#8594; Packet</code>
</p>
</li>
<li>
<p>
<code>Packet.new(fields) &#8594; Packet</code>
</p>
</li>
<li>
<p>
<code>Packet.new(RawBuffer) &#8594; Packet</code>
</p>
</li>
<li>
<p>
<code>Packet.new(DAQHeader) &#8594; Packet</code>
</p>
</li>
<li>
<p>
<code>Packet:set_decode_data(DecodeData)</code>
</p>
</li>
<li>
<p>
<code>Packet:set_data(uint[offset], uint[length])</code>
</p>
</li>
<li>
<p>
<code>Packet:set_flow(Flow)</code>
</p>
</li>
<li>
<p>
<code>Packet:get() &#8594; fields</code>
</p>
</li>
<li>
<p>
<code>Packet:set() </code>
</p>
</li>
<li>
<p>
<code>Packet:set(string[data]) </code>
</p>
</li>
<li>
<p>
<code>Packet:set(uint[size]) </code>
</p>
</li>
<li>
<p>
<code>Packet:set(fields) </code>
</p>
</li>
<li>
<p>
<code>Packet:set(RawBuffer) </code>
</p>
</li>
<li>
<p>
<code>Packet:set(DAQHeader) </code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><code>fields</code> is a table with the following contents:</p></div>
<div class="ulist"><ul>
<li>
<p>
<code>packet_flags</code>
</p>
</li>
<li>
<p>
<code>xtradata_mask</code>
</p>
</li>
<li>
<p>
<code>proto_bits</code>
</p>
</li>
<li>
<p>
<code>application_protocol_ordinal</code>
</p>
</li>
<li>
<p>
<code>alt_dsize</code>
</p>
</li>
<li>
<p>
<code>num_layers</code>
</p>
</li>
<li>
<p>
<code>iplist_id</code>
</p>
</li>
<li>
<p>
<code>user_policy_id</code>
</p>
</li>
<li>
<p>
<code>ps_proto</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p>Note: <code>Packet.new()</code> and <code>Packet:set()</code> accept multiple arguments of the
types described above in any order</p></div>
<div class="paragraph"><p><strong>RawBuffer</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>RawBuffer.new() &#8594; RawBuffer</code>
</p>
</li>
<li>
<p>
<code>RawBuffer.new(uint[size]) &#8594; RawBuffer</code>
</p>
</li>
<li>
<p>
<code>RawBuffer.new(string[data]) &#8594; RawBuffer</code>
</p>
</li>
<li>
<p>
<code>RawBuffer:size() &#8594; int</code>
</p>
</li>
<li>
<p>
<code>RawBuffer:resize(uint[size])</code>
</p>
</li>
<li>
<p>
<code>RawBuffer:write(string[data])</code>
</p>
</li>
<li>
<p>
<code>RawBuffer:write(string[data], uint[size])</code>
</p>
</li>
<li>
<p>
<code>RawBuffer:read() &#8594; string</code>
</p>
</li>
<li>
<p>
<code>RawBuffer:read(uint[end]) &#8594; string</code>
</p>
</li>
<li>
<p>
<code>RawBuffer:read(uint[start], uint[end]) &#8594; string</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p>Note: calling <code>RawBuffer.new()</code> with no arguments returns a RawBuffer of size 0</p></div>
<div class="paragraph"><p><strong>StreamSplitter</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>StreamSplitter:scan(Flow, RawBuffer) &#8594; int, int</code>
</p>
</li>
<li>
<p>
<code>StreamSplitter:scan(Flow, RawBuffer, uint[len]) &#8594; int, int</code>
</p>
</li>
<li>
<p>
<code>StreamSplitter:scan(Flow, RawBuffer, uint[len], uint[flags]) &#8594; int, int</code>
</p>
</li>
<li>
<p>
<code>StreamSplitter:reassemble(Flow, uint[total], uint[offset], RawBuffer) &#8594; int, RawBuffer</code>
</p>
</li>
<li>
<p>
<code>StreamSplitter:reassemble(Flow, uint[total], uint[offset], RawBuffer, uint[len]) &#8594; int, RawBuffer</code>
</p>
</li>
<li>
<p>
<code>StreamSplitter:reassemble(Flow, uint[total], uint[offset], RawBuffer, uint[len], uint[flags]) &#8594; int, RawBuffer</code>
</p>
</li>
<li>
<p>
<code>StreamSplitter:finish(Flow) &#8594; bool</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p>Note: StreamSplitter does not have a <code>new()</code> method, it must be created by an inspector via
<code>Inspector.get_splitter()</code></p></div>
</div>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_coding_style">Coding Style</h2>
<div class="sectionbody">
<div class="paragraph"><p>All new code should try to follow these style guidelines.  These are not
yet firm so feedback is welcome to get something we can live with.</p></div>
<div class="sect2">
<h3 id="_general">General</h3>
<div class="ulist"><ul>
<li>
<p>
Generally try to follow
  <a href="http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml">http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml</a>,
  but there are a few differences.
</p>
</li>
<li>
<p>
Each source directory should have a dev_notes.txt file summarizing the
  key points for the code in that directory.  These are built into the
  developers guide.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_naming">Naming</h3>
<div class="ulist"><ul>
<li>
<p>
Use camel case for namespaces, classes, and types like WhizBangPdfChecker.
</p>
</li>
<li>
<p>
Use lower case identifiers with underscore separators, e.g. some_function()
  and my_var.
</p>
</li>
<li>
<p>
Use lower case filenames with underscores.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_comments">Comments</h3>
<div class="ulist"><ul>
<li>
<p>
Write comments sparingly with a mind towards future proofing.  Often the
  comments can be obviated with better code.  Clear code is better than a
  comment.
</p>
</li>
<li>
<p>
Function comment blocks are generally just noise that quickly becomes
  obsolete.  If you absolutely must comment on parameters, put each on a
  separate line along with the comment.  That way changing the signature
  may prompt a change to the comments too.
</p>
</li>
<li>
<p>
Use FIXIT (not FIXTHIS or TODO or whatever) to mark things left for a
  day or even just a minute.  That way we can find them easily and won&#8217;t
  lose track of them.
</p>
</li>
<li>
<p>
Presently using FIXIT-X where X = P | H | M | L, indicating perf, high,
  med, or low priority.  For now, H, M, or L can indicate alpha 1, 2, or 3.
  Perf changes fall between alpha 1 and 2.
</p>
</li>
<li>
<p>
Put the copyright(s) and license in a comment block at the top of each
  source file (.h and .cc).  Don&#8217;t bother with trivial scripts and make
  foo.  Some interesting Lua code should get a comment block too.  Copy and
  paste exactly from src/main.h (don&#8217;t reformat).
</p>
</li>
<li>
<p>
Put author, description, etc. in separate comment(s) following the
  license.  Do not put such comments in the middle of the license foo.
  Be sure to put the author line ahead of the header guard to exclude them
  from the developers guide.
</p>
</li>
<li>
<p>
Each header should have a comment immediately after the header guard to
  give an overview of the file so the user knows what&#8217;s going on.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_logging">Logging</h3>
<div class="ulist"><ul>
<li>
<p>
Messages intended for the user should not look like debug messages. Eg,
  the function name should not be included.
</p>
</li>
<li>
<p>
Most debug messages should just be deleted.
</p>
</li>
<li>
<p>
Don&#8217;t bang your error messages (no !).  The user feels bad enough about the
  problem already w/o you shouting at him.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_types">Types</h3>
<div class="ulist"><ul>
<li>
<p>
Use logical types to make the code clearer and to help the compiler catch
  problems.  typedef uint16_t Port; bool foo(Port) is way better than
  int foo(int port).
</p>
</li>
<li>
<p>
Use forward declarations (e.g. struct SnortConfig;) instead of void*.
</p>
</li>
<li>
<p>
Try not to use extern data unless absolutely necessary and then put the
  extern in an appropriate header.
</p>
</li>
<li>
<p>
Use const liberally.  In most cases, const char* s = "foo" should be
  const char* const s = "foo".  The former goes in the initialized data
  section and the latter in read only data section.
</p>
</li>
<li>
<p>
But use const char s[] = "foo" instead of const char* s = "foo" when
  possible.  The latter form allocates a pointer variable and the data
  while the former allocates only the data.
</p>
</li>
<li>
<p>
Use static wherever possible to minimize public symbols and eliminate
  unneeded relocations.
</p>
</li>
<li>
<p>
Declare functions virtual only in the parent class introducing the
  function (not in a derived class that is overriding the function).
  This makes it clear which class introduces the function.
</p>
</li>
<li>
<p>
Declare functions as override if they are intended to override a
  function.  This makes it possible to find derived implementations that
  didn&#8217;t get updated and therefore won&#8217;t get called due a change in the
  parent signature.
</p>
</li>
<li>
<p>
Use bool functions instead of int unless there is truly a need for
  multiple error returns.  The C-style use of zero for success and -1 for
  error is less readable and often leads to messy code that either ignores
  the various errors anyway or needlessly and ineffectively tries to do
  something aobut them.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_macros_aka_defines">Macros (aka defines)</h3>
<div class="ulist"><ul>
<li>
<p>
In many cases, even in C++, use #define name "value" instead of a
  const char* const name = "value" because it will eliminate a symbol from
  the binary.
</p>
</li>
<li>
<p>
Use inline functions instead of macros where possible (pretty much all
  cases except where stringification is necessary).  Functions offer better
  typing, avoid re-expansions, and a debugger can break there.
</p>
</li>
<li>
<p>
All macros except simple const values should be wrapped in () and all
  args should be wrapped in () too to avoid surprises upon expansion.
  Example:
</p>
<div class="literalblock">
<div class="content">
<pre><code>#define SEQ_LT(a,b)  ((int)((a) - (b)) &lt;  0)</code></pre>
</div></div>
</li>
<li>
<p>
Multiline macros should be blocked (i.e. inside { }) to avoid if-else type
  surprises.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_formatting">Formatting</h3>
<div class="ulist"><ul>
<li>
<p>
Indent 4 space chars &#8230; no tabs!
</p>
</li>
<li>
<p>
If you need to indent many times, something could be rewritten or
  restructured to make it clearer.  Fewer indents is generally easier to
  write, easier to read, and overall better code.
</p>
</li>
<li>
<p>
Braces go on the line immediately following a new scope (function
  signature, if, else, loop, switch, etc.
</p>
</li>
<li>
<p>
Use consistent spacing and line breaks.  Always indent 4 spaces from the
  breaking line.  Keep lines less than 100 chars; it greatly helps
  readability.
</p>
<div class="literalblock">
<div class="content">
<pre><code>No:
    calling_a_func_with_a_long_name(arg1,
                                    arg2,
                                    arg3);</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>Yes:
    calling_a_func_with_a_long_name(
        arg1, arg2, arg3);</code></pre>
</div></div>
</li>
<li>
<p>
Put function signature on one line, except when breaking for the arg
  list:
</p>
<div class="literalblock">
<div class="content">
<pre><code>No:
    inline
    bool foo()
    { // ...</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>Yes:
    inline bool foo()
    { // ...</code></pre>
</div></div>
</li>
<li>
<p>
Put conditional code on the line following the if so it is easy to break
  on the conditional block:
</p>
<div class="literalblock">
<div class="content">
<pre><code>No:
    if ( test ) foo();</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>Yes:
    if ( test )
        foo();</code></pre>
</div></div>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_headers">Headers</h3>
<div class="ulist"><ul>
<li>
<p>
Don&#8217;t hesitate to create a new header if it is needed.  Don&#8217;t lump
  unrelated stuff into an header because it is convenient.
</p>
</li>
<li>
<p>
Write header guards like this (leading underscores are reserved for
  system stuff).  In my_header.h:
</p>
<div class="literalblock">
<div class="content">
<pre><code>#ifndef MY_HEADER_H
#define MY_HEADER_H
// ...
#endif</code></pre>
</div></div>
</li>
<li>
<p>
Includes from a different directory should specify parent directory.
  This makes it clear exactly what is included and avoids the primordial
  soup that results from using -I this -I that -I the_other_thing &#8230; .
</p>
<div class="literalblock">
<div class="content">
<pre><code>// given:
src/foo/foo.cc
src/bar/bar.cc
src/bar/baz.cc</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>// in baz.cc
#include "bar.h"</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>// in foo.cc
#include "bar/bar.h"</code></pre>
</div></div>
</li>
<li>
<p>
Includes within installed headers should specify parent directory.
</p>
</li>
<li>
<p>
Just because it is a #define doesn&#8217;t mean it goes in a header.
  Everything should be scoped as tightly as possible.  Shared
  implementation declarations should go in a separate header from the
  interface.  And so on.
</p>
</li>
<li>
<p>
A .cc should include its own .h before any others (including
  system headers).  This ensures that the header stands on its own and can
  be used by clients without include prerequisites.
</p>
</li>
<li>
<p>
Include required headers, all required headers, and nothing but required
  headers.  Don&#8217;t just clone a bunch of headers because it is convenient.
</p>
</li>
<li>
<p>
Any file depending of #ifdefs should include config.h as shown below.  A
  .h should include it before any other includes, and a .cc should include
  it immediately after the include of its own .h.
</p>
<div class="literalblock">
<div class="content">
<pre><code>#ifdef HAVE_CONFIG_H
#include "config.h"
#endif</code></pre>
</div></div>
</li>
<li>
<p>
Do not put using statements in headers.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_warnings">Warnings</h3>
<div class="ulist"><ul>
<li>
<p>
With g++, use at least these compiler flags:
</p>
<div class="literalblock">
<div class="content">
<pre><code>-Wall -Wextra -pedantic -Wformat -Wformat-security
-Wunused-but-set-variable -Wno-deprecated-declarations</code></pre>
</div></div>
</li>
<li>
<p>
With clang, use at least these compiler flags:
</p>
<div class="literalblock">
<div class="content">
<pre><code>-Wall -Wextra -pedantic -Wformat -Wformat-security
-Wno-deprecated-declarations</code></pre>
</div></div>
</li>
<li>
<p>
Then Fix All Warnings.  None Allowed.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_other">Other</h3>
<div class="ulist"><ul>
<li>
<p>
Prefer <em>and</em> over &amp;&amp; and <em>or</em> over || for new source files.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_uncrustify">Uncrustify</h3>
<div class="paragraph"><p>Currently using uncrustify from at <a href="https://github.com/bengardner/uncrustify">https://github.com/bengardner/uncrustify</a>
to reformat legacy code and anything that happens to need a makeover at
some point.</p></div>
<div class="paragraph"><p>The working config is crusty.cfg in the top level directory.  It does well
but will munge some things.  Specially formatted INDENT-OFF comments were
added in 2 places to avoid a real mess.</p></div>
<div class="paragraph"><p>You can use uncrustify something like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>uncrustify -c crusty.cfg --replace file.cc</code></pre>
</div></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_reference_2">Reference</h2>
<div class="sectionbody">
<div class="sect2">
<h3 id="_terminology">Terminology</h3>
<div class="ulist"><ul>
<li>
<p>
<strong>basic module</strong>: a module integrated into Snort that does not come from a
  plugin.
</p>
</li>
<li>
<p>
<strong>binder</strong>: inspector that maps configuration to traffic
</p>
</li>
<li>
<p>
<strong>builtin rules</strong>: codec and inspector rules for anomalies detected
  internally.
</p>
</li>
<li>
<p>
<strong>codec</strong>: short for coder / decoder.  These plugins are used for basic
   protocol decoding, anomaly detection, and construction of active responses.
</p>
</li>
<li>
<p>
<strong>data module</strong>: an adjunct configuration plugin for use with certain inspectors.
</p>
</li>
<li>
<p>
<strong>dynamic rules</strong>: plugin rules loaded at runtime.  See SO rules.
</p>
</li>
<li>
<p>
<strong>fast pattern</strong>: the content in an IPS rule that must be found by the
  search engine in order for a rule to be evaluated.
</p>
</li>
<li>
<p>
<strong>fast pattern matcher</strong>: see search engine.
</p>
</li>
<li>
<p>
<strong>hex</strong>: a type of protocol magic that the wizard uses to identify binary
  protocols.
</p>
</li>
<li>
<p>
<strong>inspector</strong>: plugin that processes packets (similar to the legacy Snort
  preprocessor)
</p>
</li>
<li>
<p>
<strong>IPS</strong>:  intrusion prevention system, like Snort.
</p>
</li>
<li>
<p>
<strong>IPS action</strong>: plugin that allows you to perform custom actions when
  events are generated.  Unlike loggers, these are invoked before
  thresholding and can be used to control external agents or send active
  responses.
</p>
</li>
<li>
<p>
<strong>IPS option</strong>: this plugin is the building blocks of IPS rules.
</p>
</li>
<li>
<p>
<strong>logger</strong>: a plugin that performs output of events and packets.  Events
  are thresholded before reaching loggers.
</p>
</li>
<li>
<p>
<strong>module</strong>: the user facing portion of a Snort component.  Modules chiefly
  provide configuration parameters, but may also provide commands, builtin
  rules, profiling statistics, peg counts, etc.  Note that not all modules
  are plugins and not all plugins have modules.
</p>
</li>
<li>
<p>
<strong>peg count</strong>: the number of times a given event or condition occurs.
</p>
</li>
<li>
<p>
<strong>plugin</strong>: one of several types of software components that can be loaded
  from a dynamic library when Snort starts up.  Some plugins are coupled
  with the main engine in such a way that they must be built statically,
  but a newer version can be loaded dynamically.
</p>
</li>
<li>
<p>
<strong>search engine</strong>: a plugin that performs multipattern searching of packets
  and payload to find rules that should be evaluated.  There are currently
  no specific modules, although there are several search engine plugins.
  Related configuration is done with the basic detection module.  Aka fast
  pattern matcher.
</p>
</li>
<li>
<p>
<strong>SO rule</strong>: a IPS rule plugin that performs custom detection that can&#8217;t
  be done by a text rule.  These rules typically do not have associated
  modules.  SO comes from shared object, meaning dynamic library.
</p>
</li>
<li>
<p>
<strong>spell</strong>: a type of protocol magic that the wizard uses to identify ASCII
  protocols.
</p>
</li>
<li>
<p>
<strong>text rule</strong>: a rule loaded from the configuration that has a header and
  body.  The header specifies action, protocol, source and destination IP
  addresses and ports, and direction.  The body specifies detection and
  non-detection options.
</p>
</li>
<li>
<p>
<strong>wizard</strong>: inspector that applies protocol magic to determine which
  inspectors should be bound to traffic absent a port specific binding.
  See hex and spell.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_usage_2">Usage</h3>
<div class="paragraph"><p>For the following examples "$my_path" is assumed to be the path to the
Snort++ install directory. Additionally, it is assumed that "$my_path/bin"
is in your PATH.</p></div>
<div class="sect3">
<h4 id="_environment">Environment</h4>
<div class="paragraph"><p>LUA_PATH is used directly by Lua to load and run required libraries.
SNORT_LUA_PATH is used by Snort to load supplemental configuration files.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>export LUA_PATH=$my_path/include/snort/lua/\?.lua\;\;
export SNORT_LUA_PATH=$my_path/etc/snort</code></pre>
</div></div>
</div>
<div class="sect3">
<h4 id="_help_2">Help</h4>
<div class="paragraph"><p>Print the help summary:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort --help</code></pre>
</div></div>
<div class="paragraph"><p>Get help on a specific module ("stream", for example):</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort --help-module stream</code></pre>
</div></div>
<div class="paragraph"><p>Get help on the "-A" command line option:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort --help-options A</code></pre>
</div></div>
<div class="paragraph"><p>Grep for help on threads:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort --help-config | grep thread</code></pre>
</div></div>
<div class="paragraph"><p>Output help on "rule" options in AsciiDoc format:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort --markup --help-options rule</code></pre>
</div></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<img src="./images/icons/note.png" alt="Note" />
</td>
<td class="content">Snort++ stops reading command-line options after the "--help-<strong>" and
"--list-</strong>" options, so any other options should be placed before them.</td>
</tr></table>
</div>
</div>
<div class="sect3">
<h4 id="_sniffing_and_logging">Sniffing and Logging</h4>
<div class="paragraph"><p>Read a pcap:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -r /path/to/my.pcap</code></pre>
</div></div>
<div class="paragraph"><p>Dump the packets to stdout:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -r /path/to/my.pcap -L dump</code></pre>
</div></div>
<div class="paragraph"><p>Dump packets with application data and layer 2 headers</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -r /path/to/my.pcap -L dump -d -e</code></pre>
</div></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<img src="./images/icons/note.png" alt="Note" />
</td>
<td class="content">Command line options must be specified separately. "snort -de" won&#8217;t
work.  You can still concatenate options and their arguments, however, so
"snort -Ldump" will work.</td>
</tr></table>
</div>
<div class="paragraph"><p>Dump packets from all pcaps in a directory:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -d -e</code></pre>
</div></div>
<div class="paragraph"><p>Log packets to a directory:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -l /path/to/log/dir</code></pre>
</div></div>
</div>
<div class="sect3">
<h4 id="_configuration_2">Configuration</h4>
<div class="paragraph"><p>Validate a configuration file:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua</code></pre>
</div></div>
<div class="paragraph"><p>Validate a configuration file and a separate rules file:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules</code></pre>
</div></div>
<div class="paragraph"><p>Read rules from stdin and validate:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua --stdin-rules &lt; $my_path/etc/snort/sample.rules</code></pre>
</div></div>
<div class="paragraph"><p>Enable warnings for Lua configurations and make warnings fatal:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua --warn-all --pedantic</code></pre>
</div></div>
<div class="paragraph"><p>Tell Snort++ where to look for additional Lua scripts:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort --script-path /path/to/script/dir</code></pre>
</div></div>
</div>
<div class="sect3">
<h4 id="_ids_mode">IDS mode</h4>
<div class="paragraph"><p>Run Snort++ in IDS mode, reading packets from a pcap:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap</code></pre>
</div></div>
<div class="paragraph"><p>Log any generated alerts to the console using the "-A" option:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A alert_full</code></pre>
</div></div>
<div class="paragraph"><p>Add or modify a configuration from the command line using the "--lua" option:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A cmg \
    --lua 'ips = { enable_builtin_rules = true }'</code></pre>
</div></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<img src="./images/icons/note.png" alt="Note" />
</td>
<td class="content">The "--lua" option can be specified multiple times.</td>
</tr></table>
</div>
<div class="paragraph"><p>Run Snort++ in IDS mode on an entire directory of pcaps, processing each
input source on a separate thread:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \
    --pcap-filter '*.pcap' --max-packet-threads 8</code></pre>
</div></div>
<div class="paragraph"><p>Run Snort++ on 2 interfaces, eth0 and eth1:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua -i "eth0 eth1" -z 2 -A cmg</code></pre>
</div></div>
<div class="paragraph"><p>Run Snort++ inline with the afpacket DAQ:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua --daq afpacket -i "eth0:eth1" \
    -A cmg</code></pre>
</div></div>
</div>
</div>
<div class="sect2">
<h3 id="_plugins_2">Plugins</h3>
<div class="paragraph"><p>Load external plugins and use the "ex" alert:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua \
    --plugin-path $my_path/lib/snort_extra \
    -A alert_ex -r /path/to/my.pcap</code></pre>
</div></div>
<div class="paragraph"><p>Test the LuaJIT rule option <em>find</em> loaded from stdin:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua \
    --script-path $my_path/lib/snort_extra \
    --stdin-rules -A cmg -r /path/to/my.pcap &lt;&lt; END
alert tcp any any -&gt; any 80 (
    sid:3; msg:"found"; content:"GET";
    find:"pat='HTTP/1%.%d'" ; )
END</code></pre>
</div></div>
</div>
<div class="sect2">
<h3 id="_output_files">Output Files</h3>
<div class="paragraph"><p>To make it simple to configure outputs when you run with multiple packet
threads, output files are not explicitly configured. Instead, you can use
the options below to format the paths:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>&lt;logdir&gt;/[&lt;run_prefix&gt;][&lt;id#&gt;][&lt;X&gt;]&lt;name&gt;</code></pre>
</div></div>
<div class="paragraph"><p>Log to unified in the current directory:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2</code></pre>
</div></div>
<div class="paragraph"><p>Log to unified in the current directory with a different prefix:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2 \
    --run-prefix take2</code></pre>
</div></div>
<div class="paragraph"><p>Log to unified in /tmp:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2 -l /tmp</code></pre>
</div></div>
<div class="paragraph"><p>Run 4 packet threads and log with thread number prefix (0-3):</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \
    --pcap-filter '*.pcap' -z 4 -A unified2</code></pre>
</div></div>
<div class="paragraph"><p>Run 4 packet threads and log in thread number subdirs (0-3):</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \
    --pcap-filter '*.pcap' -z 4 -A unified2 --id-subdir</code></pre>
</div></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<img src="./images/icons/note.png" alt="Note" />
</td>
<td class="content">subdirectories are created automatically if required.  Log filename
is based on module name that writes the file.  All text mode outputs
default to stdout.  These options can be combined.</td>
</tr></table>
</div>
<div class="sect3">
<h4 id="_daq_alternatives">DAQ Alternatives</h4>
<div class="paragraph"><p>Process hext packets from stdin:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua \
    --daq-dir $my_path/lib/snort/daqs --daq hext -i tty &lt;&lt; END
$packet 10.1.2.3 48620 -&gt; 10.9.8.7 80
"GET / HTTP/1.1\r\n"
"Host: localhost\r\n"
"\r\n"
END</code></pre>
</div></div>
<div class="paragraph"><p>Process raw ethernet from hext file:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua \
    --daq-dir $my_path/lib/snort/daqs --daq hext \
    --daq-var dlt=1 -r &lt;hext-file&gt;</code></pre>
</div></div>
<div class="paragraph"><p>Process a directory of plain files (ie non-pcap) with 4 threads with 8K
buffers:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua \
    --daq-dir $my_path/lib/snort/daqs --daq file \
    --pcap-dir path/to/files -z 4 -s 8192</code></pre>
</div></div>
<div class="paragraph"><p>Bridge two TCP connections on port 8000 and inspect the traffic:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua \
    --daq-dir $my_path/lib/snort/daqs --daq socket</code></pre>
</div></div>
</div>
<div class="sect3">
<h4 id="_logger_alternatives">Logger Alternatives</h4>
<div class="paragraph"><p>Dump TCP stream payload in hext mode:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua -L hext</code></pre>
</div></div>
<div class="paragraph"><p>Output timestamp, pkt_num, proto, pkt_gen, dgm_len, dir, src_ap, dst_ap,
rule, action for each alert:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua -A csv</code></pre>
</div></div>
<div class="paragraph"><p>Output the old test format alerts:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua \
    --lua "alert_csv = { fields = 'pkt_num gid sid rev', separator = '\t' }"</code></pre>
</div></div>
</div>
<div class="sect3">
<h4 id="_shell">Shell</h4>
<div class="paragraph"><p>You must build with --enable-shell to make the command line shell available.</p></div>
<div class="paragraph"><p>Enable shell mode:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort --shell &lt;args&gt;</code></pre>
</div></div>
<div class="paragraph"><p>You will see the shell mode command prompt, which looks like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>o")~</code></pre>
</div></div>
<div class="paragraph"><p>(The prompt can be changed with the SNORT_PROMPT environment variable.)</p></div>
<div class="paragraph"><p>You can pause immediately after loading the configuration and again before
exiting with:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort --shell --pause &lt;args&gt;</code></pre>
</div></div>
<div class="paragraph"><p>In that case you must issue the resume() command to continue.  Enter quit()
to terminate Snort or detach() to exit the shell.  You can list the
available commands with help().</p></div>
<div class="paragraph"><p>To enable local telnet access on port 12345:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort --shell -j 12345 &lt;args&gt;</code></pre>
</div></div>
<div class="paragraph"><p>The command line interface is still under development.  Suggestions are
welcome.</p></div>
</div>
<div class="sect3">
<h4 id="_signals">Signals</h4>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<img src="./images/icons/note.png" alt="Note" />
</td>
<td class="content">The following examples assume that Snort++ is currently running and
has a process ID of &lt;pid&gt;.</td>
</tr></table>
</div>
<div class="paragraph"><p>Modify and Reload Configuration:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>echo 'suppress = { { gid = 1, sid = 2215 } }' &gt;&gt; $my_path/etc/snort/snort.lua
kill -hup &lt;pid&gt;</code></pre>
</div></div>
<div class="paragraph"><p>Dump stats to stdout:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>kill -usr1 &lt;pid&gt;</code></pre>
</div></div>
<div class="paragraph"><p>Shutdown normally:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>kill -term &lt;pid&gt;</code></pre>
</div></div>
<div class="paragraph"><p>Exit without flushing packets:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>kill -quit &lt;pid&gt;</code></pre>
</div></div>
<div class="paragraph"><p>List available signals:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort --help-signals</code></pre>
</div></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<img src="./images/icons/note.png" alt="Note" />
</td>
<td class="content">The available signals may vary from platform to platform.</td>
</tr></table>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_optional_features">Optional Features</h3>
<div class="paragraph"><p>The features listed below must be explicitly enabled so they are built
into the Snort binary.  For a full list of build features, run ./configure
--help.</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>--enable-ppm</strong>: enable packet and rule performance monitoring and coarse
   latency enforcement.
</p>
</li>
<li>
<p>
<strong>--enable-perf-profiling</strong>: enable module and rule performance profiling.
</p>
</li>
<li>
<p>
<strong>--enable-shell</strong>: enable local and remote command line shell support.
</p>
</li>
</ul></div>
<div class="paragraph"><p>These features are built only if the required libraries and headers are
present.  There is no need to explicitly enable.</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>lzma</strong>: from <a href="http://www.7-zip.org/sdk.html">http://www.7-zip.org/sdk.html</a> for decompression of SWF fles.
</p>
</li>
<li>
<p>
<strong>openssl</strong>: from <a href="https://www.openssl.org">https://www.openssl.org</a> for SHA and MD5 file signatures and
  the protected_content rule option.
</p>
</li>
<li>
<p>
*intel-soft-cpm": an optional pattern matcher based on a library from
  Intel.
</p>
</li>
</ul></div>
<div class="paragraph"><p>If you need to use headers and/or libraries in non-standard locations, you
can use these options:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>--with-pkg-includes</strong>: specify the directory containing the package
  headers.
</p>
</li>
<li>
<p>
<strong>--with-pkg-libraries</strong>: specify the directory containing the package
  libraries.
</p>
</li>
</ul></div>
<div class="paragraph"><p>These can be use for pcap, luajit, pcre, dnet, daq, lzma, openssl, and
intel-soft-cpm packages.</p></div>
</div>
<div class="sect2">
<h3 id="_environment_variables">Environment Variables</h3>
<div class="ulist"><ul>
<li>
<p>
<strong>HOSTTYPE</strong>: optional string that is output with the version at end of
  line.
</p>
</li>
<li>
<p>
<strong>LUA_PATH</strong>: you must export as follows so LuaJIT can find required
  files.
</p>
<div class="literalblock">
<div class="content">
<pre><code>LUA_PATH=$install_dir/include/snort/lua/\?.lua\;\;</code></pre>
</div></div>
</li>
<li>
<p>
<strong>SNORT_IGNORE</strong>: the list of symbols Snort should ignore when parsing the
  Lua conf.  Unknown symbols not in SNORT_IGNORE will cause warnings with
  --warn-unknown or fatals with --warn-unknown --pedantic.
</p>
</li>
<li>
<p>
<strong>SNORT_LUA_PATH</strong>: an optional path where Snort can find supplemental conf
  files such as classification.lua.
</p>
</li>
<li>
<p>
<strong>SNORT_PROMPT</strong>: the character sequence that is printed at startup,
  shutdown, and in the shell.  The default is the mini-pig: o")~ .
</p>
</li>
<li>
<p>
<strong>SNORT_PLUGIN_PATH</strong>: an optional path where Snort can find supplemental
  shared libraries.  This is only used when Snort is building manuals.
  Modules in supplemental shared libraries will be added to the manuals.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_command_line_options">Command Line Options</h3>
<div class="ulist"><ul>
<li>
<p>
<strong>--alert-before-pass</strong> process alert, drop, sdrop, or reject before pass; default is pass before alert, drop,&#8230;
</p>
</li>
<li>
<p>
<strong>--bpf</strong> &lt;filter options&gt; are standard BPF options, as seen in TCPDump
</p>
</li>
<li>
<p>
<strong>--c2x</strong> output hex for given char (see also --x2c)
</p>
</li>
<li>
<p>
<strong>--catch-test</strong> comma separated list of cat unit test tags or <em>all</em>
</p>
</li>
<li>
<p>
<strong>--create-pidfile</strong> create PID file, even when not in Daemon mode
</p>
</li>
<li>
<p>
<strong>--daq</strong> &lt;type&gt; select packet acquisition module (default is pcap)
</p>
</li>
<li>
<p>
<strong>--daq-dir</strong> &lt;dir&gt; tell snort where to find desired DAQ
</p>
</li>
<li>
<p>
<strong>--daq-list</strong> list packet acquisition modules available in optional dir, default is static modules only
</p>
</li>
<li>
<p>
<strong>--daq-mode</strong> &lt;mode&gt; select the DAQ operating mode
</p>
</li>
<li>
<p>
<strong>--daq-var</strong> &lt;name=value&gt; specify extra DAQ configuration variable
</p>
</li>
<li>
<p>
<strong>--dirty-pig</strong> don&#8217;t flush packets on shutdown
</p>
</li>
<li>
<p>
<strong>--dump-builtin-rules</strong> [&lt;module prefix&gt;] output stub rules for selected modules
</p>
</li>
<li>
<p>
<strong>--dump-defaults</strong> [&lt;module prefix&gt;] output module defaults in Lua format (optional)
</p>
</li>
<li>
<p>
<strong>--dump-dynamic-rules</strong> output stub rules for all loaded rules libraries
</p>
</li>
<li>
<p>
<strong>--dump-version</strong> output the version, the whole version, and only the version (optional)
</p>
</li>
<li>
<p>
<strong>--enable-inline-test</strong> enable Inline-Test Mode Operation
</p>
</li>
<li>
<p>
<strong>--help</strong> list command line options
</p>
</li>
<li>
<p>
<strong>--help-commands</strong> [&lt;module prefix&gt;] output matching commands (optional)
</p>
</li>
<li>
<p>
<strong>--help-config</strong> [&lt;module prefix&gt;] output matching config options (optional)
</p>
</li>
<li>
<p>
<strong>--help-counts</strong> [&lt;module prefix&gt;] output matching peg counts (optional)
</p>
</li>
<li>
<p>
<strong>--help-module</strong> &lt;module&gt; output description of given module
</p>
</li>
<li>
<p>
<strong>--help-modules</strong> list all available modules with brief help
</p>
</li>
<li>
<p>
<strong>--help-options</strong> &lt;option prefix&gt; output matching command line option quick help (same as -?) (optional)
</p>
</li>
<li>
<p>
<strong>--help-plugins</strong> list all available plugins with brief help
</p>
</li>
<li>
<p>
<strong>--help-signals</strong> dump available control signals
</p>
</li>
<li>
<p>
<strong>--id-subdir</strong> create/use instance subdirectories in logdir instead of instance filename prefix
</p>
</li>
<li>
<p>
<strong>--id-zero</strong> use id prefix / subdirectory even with one packet thread
</p>
</li>
<li>
<p>
<strong>--list-buffers</strong> output available inspection buffers
</p>
</li>
<li>
<p>
<strong>--list-builtin</strong> &lt;module prefix&gt; output matching builtin rules (optional)
</p>
</li>
<li>
<p>
<strong>--list-gids</strong> [&lt;module prefix&gt;] output matching generators (optional)
</p>
</li>
<li>
<p>
<strong>--list-modules</strong> [&lt;module type&gt;] list all known modules of given type (optional)
</p>
</li>
<li>
<p>
<strong>--list-plugins</strong> list all known plugins
</p>
</li>
<li>
<p>
<strong>--logid</strong> &lt;0xid&gt; log Identifier to uniquely id events for multiple snorts (same as -G) (0:65535)
</p>
</li>
<li>
<p>
<strong>--lua</strong> &lt;chunk&gt; extend/override conf with chunk; may be repeated
</p>
</li>
<li>
<p>
<strong>--markup</strong> output help in asciidoc compatible format
</p>
</li>
<li>
<p>
<strong>--max-packet-threads</strong> &lt;count&gt; configure maximum number of packet threads (same as -z) (0:)
</p>
</li>
<li>
<p>
<strong>--nolock-pidfile</strong> do not try to lock Snort PID file
</p>
</li>
<li>
<p>
<strong>--nostamps</strong> don&#8217;t include timestamps in log file names
</p>
</li>
<li>
<p>
<strong>--pause</strong> wait for resume/quit command before processing packets/terminating
</p>
</li>
<li>
<p>
<strong>--pcap-dir</strong> &lt;dir&gt; a directory to recurse to look for pcaps - read mode is implied
</p>
</li>
<li>
<p>
<strong>--pcap-file</strong> &lt;file&gt; file that contains a list of pcaps to read - read mode is implied
</p>
</li>
<li>
<p>
<strong>--pcap-filter</strong> &lt;filter&gt; filter to apply when getting pcaps from file or directory
</p>
</li>
<li>
<p>
<strong>--pcap-list</strong> &lt;list&gt; a space separated list of pcaps to read - read mode is implied
</p>
</li>
<li>
<p>
<strong>--pcap-loop</strong> &lt;count&gt; read all pcaps &lt;count&gt; times;  0 will read until Snort is terminated (-1:)
</p>
</li>
<li>
<p>
<strong>--pcap-no-filter</strong> reset to use no filter when getting pcaps from file or directory
</p>
</li>
<li>
<p>
<strong>--pcap-reload</strong> if reading multiple pcaps, reload snort config between pcaps
</p>
</li>
<li>
<p>
<strong>--pcap-show</strong> print a line saying what pcap is currently being read
</p>
</li>
<li>
<p>
<strong>--pedantic</strong> warnings are fatal
</p>
</li>
<li>
<p>
<strong>--piglet</strong> enable piglet test harness mode
</p>
</li>
<li>
<p>
<strong>--plugin-path</strong> &lt;path&gt; where to find plugins
</p>
</li>
<li>
<p>
<strong>--process-all-events</strong> process all action groups
</p>
</li>
<li>
<p>
<strong>--rule</strong> &lt;rules&gt; to be added to configuration; may be repeated
</p>
</li>
<li>
<p>
<strong>--rule-to-hex</strong> output so rule header to stdout for text rule on stdin
</p>
</li>
<li>
<p>
<strong>--rule-to-text</strong> output plain so rule header to stdout for text rule on stdin
</p>
</li>
<li>
<p>
<strong>--run-prefix</strong> &lt;pfx&gt; prepend this to each output file
</p>
</li>
<li>
<p>
<strong>--script-path</strong> &lt;path&gt; to a luajit script or directory containing luajit scripts
</p>
</li>
<li>
<p>
<strong>--shell</strong> enable the interactive command line
</p>
</li>
<li>
<p>
<strong>--show-plugins</strong> list module and plugin versions
</p>
</li>
<li>
<p>
<strong>--skip</strong> &lt;n&gt; skip 1st n packets (0:)
</p>
</li>
<li>
<p>
<strong>--snaplen</strong> &lt;snap&gt; set snaplen of packet (same as -s) (68:65535)
</p>
</li>
<li>
<p>
<strong>--stdin-rules</strong> read rules from stdin until EOF or a line starting with END is read
</p>
</li>
<li>
<p>
<strong>--treat-drop-as-alert</strong> converts drop, sdrop, and reject rules into alert rules during startup
</p>
</li>
<li>
<p>
<strong>--treat-drop-as-ignore</strong> use drop, sdrop, and reject rules to ignore session traffic when not inline
</p>
</li>
<li>
<p>
<strong>--version</strong> show version number (same as -V)
</p>
</li>
<li>
<p>
<strong>--warn-all</strong> enable all warnings
</p>
</li>
<li>
<p>
<strong>--warn-conf</strong> warn about configuration issues
</p>
</li>
<li>
<p>
<strong>--warn-daq</strong> warn about DAQ issues, usually related to mode
</p>
</li>
<li>
<p>
<strong>--warn-flowbits</strong> warn about flowbits that are checked but not set and vice-versa
</p>
</li>
<li>
<p>
<strong>--warn-hosts</strong> warn about host table issues
</p>
</li>
<li>
<p>
<strong>--warn-plugins</strong> warn about issues that prevent plugins from loading
</p>
</li>
<li>
<p>
<strong>--warn-rules</strong> warn about duplicate rules and rule parsing issues
</p>
</li>
<li>
<p>
<strong>--warn-scripts</strong> warn about issues discovered while processing Lua scripts
</p>
</li>
<li>
<p>
<strong>--warn-symbols</strong> warn about unknown symbols in your Lua config
</p>
</li>
<li>
<p>
<strong>--warn-vars</strong> warn about variable definition and usage issues
</p>
</li>
<li>
<p>
<strong>--x2c</strong> output ASCII char for given hex (see also --c2x)
</p>
</li>
<li>
<p>
<strong>--x2s</strong> output ASCII string for given byte code (see also --x2c)
</p>
</li>
<li>
<p>
<strong>-?</strong> &lt;option prefix&gt; output matching command line option quick help (same as --help-options) (optional)
</p>
</li>
<li>
<p>
<strong>-A</strong> &lt;mode&gt; set alert mode: none, cmg, or alert_*
</p>
</li>
<li>
<p>
<strong>-B</strong> &lt;mask&gt; obfuscated IP addresses in alerts and packet dumps using CIDR mask
</p>
</li>
<li>
<p>
<strong>-C</strong> print out payloads with character data only (no hex)
</p>
</li>
<li>
<p>
<strong>-D</strong> run Snort in background (daemon) mode
</p>
</li>
<li>
<p>
<strong>-G</strong> &lt;0xid&gt; (same as --logid) (0:65535)
</p>
</li>
<li>
<p>
<strong>-H</strong> make hash tables deterministic
</p>
</li>
<li>
<p>
<strong>-L</strong> &lt;mode&gt; logging mode (none, dump, pcap, or log_*)
</p>
</li>
<li>
<p>
<strong>-M</strong> log messages to syslog (not alerts)
</p>
</li>
<li>
<p>
<strong>-O</strong> obfuscate the logged IP addresses
</p>
</li>
<li>
<p>
<strong>-Q</strong> enable inline mode operation
</p>
</li>
<li>
<p>
<strong>-R</strong> &lt;rules&gt; include this rules file in the default policy
</p>
</li>
<li>
<p>
<strong>-S</strong> &lt;x=v&gt; set config variable x equal to value v
</p>
</li>
<li>
<p>
<strong>-T</strong> test and report on the current Snort configuration
</p>
</li>
<li>
<p>
<strong>-U</strong> use UTC for timestamps
</p>
</li>
<li>
<p>
<strong>-V</strong> (same as --version)
</p>
</li>
<li>
<p>
<strong>-W</strong> lists available interfaces
</p>
</li>
<li>
<p>
<strong>-X</strong> dump the raw packet data starting at the link layer
</p>
</li>
<li>
<p>
<strong>-c</strong> &lt;conf&gt; use this configuration
</p>
</li>
<li>
<p>
<strong>-d</strong> dump the Application Layer
</p>
</li>
<li>
<p>
<strong>-e</strong> display the second layer header info
</p>
</li>
<li>
<p>
<strong>-f</strong> turn off fflush() calls after binary log writes
</p>
</li>
<li>
<p>
<strong>-g</strong> &lt;gname&gt; run snort gid as &lt;gname&gt; group (or gid) after initialization
</p>
</li>
<li>
<p>
<strong>-i</strong> &lt;iface&gt;&#8230; list of interfaces
</p>
</li>
<li>
<p>
<strong>-j</strong> &lt;port&gt; to listen for telnet connections
</p>
</li>
<li>
<p>
<strong>-k</strong> &lt;mode&gt; checksum mode; default is all (all|noip|notcp|noudp|noicmp|none)
</p>
</li>
<li>
<p>
<strong>-l</strong> &lt;logdir&gt; log to this directory instead of current directory
</p>
</li>
<li>
<p>
<strong>-m</strong> &lt;umask&gt; set umask = &lt;umask&gt; (0:)
</p>
</li>
<li>
<p>
<strong>-n</strong> &lt;count&gt; stop after count packets (0:)
</p>
</li>
<li>
<p>
<strong>-q</strong> quiet mode - Don&#8217;t show banner and status report
</p>
</li>
<li>
<p>
<strong>-r</strong> &lt;pcap&gt;&#8230; (same as --pcap-list)
</p>
</li>
<li>
<p>
<strong>-s</strong> &lt;snap&gt; (same as --snaplen); default is 1514 (68:65535)
</p>
</li>
<li>
<p>
<strong>-t</strong> &lt;dir&gt; chroots process to &lt;dir&gt; after initialization
</p>
</li>
<li>
<p>
<strong>-u</strong> &lt;uname&gt; run snort as &lt;uname&gt; or &lt;uid&gt; after initialization
</p>
</li>
<li>
<p>
<strong>-v</strong> be verbose
</p>
</li>
<li>
<p>
<strong>-w</strong> dump 802.11 management and control frames
</p>
</li>
<li>
<p>
<strong>-x</strong> same as --pedantic
</p>
</li>
<li>
<p>
<strong>-y</strong> include year in timestamp in the alert and log files
</p>
</li>
<li>
<p>
<strong>-z</strong> &lt;count&gt; maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 (0:)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_parameters">Parameters</h3>
<div class="paragraph"><p>Parameters are given with this format:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>type name = default: help { range }</code></pre>
</div></div>
<div class="paragraph"><p>The following types are used:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>addr</strong>: any valid IP4 or IP6 address or CIDR
</p>
</li>
<li>
<p>
<strong>addr_list</strong>: a space separated list of addr values
</p>
</li>
<li>
<p>
<strong>bit_list</strong>: a list of consecutive integer values from 1 to the range
  maximum
</p>
</li>
<li>
<p>
<strong>bool</strong>: true or false
</p>
</li>
<li>
<p>
<strong>dynamic</strong>: a select type determined by loaded plugins
</p>
</li>
<li>
<p>
<strong>enum</strong>: a string selected from the given range
</p>
</li>
<li>
<p>
<strong>implied</strong>: an IPS rule option that takes no value but means true
</p>
</li>
<li>
<p>
<strong>int</strong>: a whole number in the given range
</p>
</li>
<li>
<p>
<strong>ip4</strong>: an IP4 address or CIDR
</p>
</li>
<li>
<p>
<strong>mac</strong>: an ethernet address with the form 01:02:03:04:05:06
</p>
</li>
<li>
<p>
<strong>multi</strong>: one or more space separated strings from the given range
</p>
</li>
<li>
<p>
<strong>port</strong>: an int in the range 0:65535 indicating a TCP or UDP port number
</p>
</li>
<li>
<p>
<strong>real</strong>: a real number in the given range
</p>
</li>
<li>
<p>
<strong>select</strong>: a string selected from the given range
</p>
</li>
<li>
<p>
<strong>string</strong>: any string with no more than the given length, if any
</p>
</li>
</ul></div>
<div class="paragraph"><p>The parameter name may be adorned in various ways to indicate additional
information about the type and use of the parameter:</p></div>
<div class="ulist"><ul>
<li>
<p>
For Lua configuration (not IPS rules), if the name ends with [] it is
  a list item and can be repeated.
</p>
</li>
<li>
<p>
For IPS rules only, names starting with ~ indicate positional
  parameters.  The names of such parameters do not appear in the rule.
</p>
</li>
<li>
<p>
IPS rules may also have a wild card parameter, which is indicated by a
  *.  Only used for metadata that Snort ignores.
</p>
</li>
<li>
<p>
The snort module has command line options starting with a -.
</p>
</li>
</ul></div>
<div class="paragraph"><p>Some additional details to note:</p></div>
<div class="ulist"><ul>
<li>
<p>
Table and variable names are case sensitive; use lower case only.
</p>
</li>
<li>
<p>
String values are case sensitive too; use lower case only.
</p>
</li>
<li>
<p>
Numeric ranges may be of the form low:high where low and high are
  bounds included in the range.  If either is omitted, there is no hard
  bound. E.g. 0: means any x where x &gt;= 0.
</p>
</li>
<li>
<p>
Strings may have a numeric range indicating a length limit; otherwise
  there is no hard limit.
</p>
</li>
<li>
<p>
bit_list is typically used to store a set of byte, port, or VLAN ID
  values.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_configuration_3">Configuration</h3>
<div class="ulist"><ul>
<li>
<p>
string <strong>ack.~range</strong>: check if packet payload size is <em>size | min&lt;&gt;max | &lt;max | &gt;min</em>
</p>
</li>
<li>
<p>
int <strong>active.attempts</strong> = 0: number of TCP packets sent per response (with varying sequence numbers) { 0:20 }
</p>
</li>
<li>
<p>
string <strong>active.device</strong>: use <em>ip</em> for network layer responses or <em>eth0</em> etc for link layer
</p>
</li>
<li>
<p>
string <strong>active.dst_mac</strong>: use format <em>01:23:45:67:89:ab</em>
</p>
</li>
<li>
<p>
int <strong>active.max_responses</strong> = 0: maximum number of responses { 0: }
</p>
</li>
<li>
<p>
int <strong>active.min_interval</strong> = 255: minimum number of seconds between responses { 1: }
</p>
</li>
<li>
<p>
multi <strong>alert_csv.fields</strong> = timestamp pkt_num proto pkt_gen dgm_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | dir | dgm_len | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | ip_id | ip_len | msg | pkt_gen | pkt_num | proto | rev | rule | sid | src_addr | src_ap | src_port | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len }
</p>
</li>
<li>
<p>
bool <strong>alert_csv.file</strong> = false: output to alert_csv.txt instead of stdout
</p>
</li>
<li>
<p>
int <strong>alert_csv.limit</strong> = 0: set limit (0 is unlimited) { 0: }
</p>
</li>
<li>
<p>
string <strong>alert_csv.separator</strong> = , : separate fields with this character sequence
</p>
</li>
<li>
<p>
enum <strong>alert_csv.units</strong> = B: bytes | KB | MB | GB { B | K | M | G }
</p>
</li>
<li>
<p>
bool <strong>alert_ex.upper</strong> = false: true/false &#8594; convert to upper/lower case
</p>
</li>
<li>
<p>
bool <strong>alert_fast.file</strong> = false: output to alert_fast.txt instead of stdout
</p>
</li>
<li>
<p>
int <strong>alert_fast.limit</strong> = 0: set limit (0 is unlimited) { 0: }
</p>
</li>
<li>
<p>
bool <strong>alert_fast.packet</strong> = false: output packet dump with alert
</p>
</li>
<li>
<p>
enum <strong>alert_fast.units</strong> = B: bytes | KB | MB | GB { B | K | M | G }
</p>
</li>
<li>
<p>
bool <strong>alert_full.file</strong> = false: output to alert_full.txt instead of stdout
</p>
</li>
<li>
<p>
int <strong>alert_full.limit</strong> = 0: set limit (0 is unlimited) { 0: }
</p>
</li>
<li>
<p>
enum <strong>alert_full.units</strong> = B: limit is in bytes | KB | MB | GB { B | K | M | G }
</p>
</li>
<li>
<p>
enum <strong>alert_syslog.facility</strong> = auth: part of priority applied to each message { auth | authpriv | daemon | user | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 }
</p>
</li>
<li>
<p>
enum <strong>alert_syslog.level</strong> = info: part of priority applied to each message { emerg | alert | crit | err | warning | notice | info | debug }
</p>
</li>
<li>
<p>
multi <strong>alert_syslog.options</strong>: used to open the syslog connection { cons | ndelay | perror | pid }
</p>
</li>
<li>
<p>
bool <strong>alerts.alert_with_interface_name</strong> = false: include interface in alert info (fast, full, or syslog only)
</p>
</li>
<li>
<p>
bool <strong>alerts.default_rule_state</strong> = true: enable or disable ips rules
</p>
</li>
<li>
<p>
int <strong>alerts.detection_filter_memcap</strong> = 1048576: set available memory for filters { 0: }
</p>
</li>
<li>
<p>
int <strong>alerts.event_filter_memcap</strong> = 1048576: set available memory for filters { 0: }
</p>
</li>
<li>
<p>
string <strong>alerts.order</strong> = pass drop alert log: change the order of rule action application
</p>
</li>
<li>
<p>
int <strong>alerts.rate_filter_memcap</strong> = 1048576: set available memory for filters { 0: }
</p>
</li>
<li>
<p>
string <strong>alerts.reference_net</strong>: set the CIDR for homenet (for use with -l or -B, does NOT change $HOME_NET in IDS mode)
</p>
</li>
<li>
<p>
bool <strong>alerts.stateful</strong> = false: don&#8217;t alert w/o established session (note: rule action still taken)
</p>
</li>
<li>
<p>
string <strong>alerts.tunnel_verdicts</strong>: let DAQ handle non-allow verdicts for GTP|Teredo|6in4|4in6 traffic
</p>
</li>
<li>
<p>
ip4 <strong>arp_spoof.hosts[].ip</strong>: host ip address
</p>
</li>
<li>
<p>
mac <strong>arp_spoof.hosts[].mac</strong>: host mac address
</p>
</li>
<li>
<p>
int <strong>asn1.absolute_offset</strong>: Absolute offset from the beginning of the packet. { 0: }
</p>
</li>
<li>
<p>
implied <strong>asn1.bitstring_overflow</strong>: Detects invalid bitstring encodings that are known to be remotely exploitable.
</p>
</li>
<li>
<p>
implied <strong>asn1.double_overflow</strong>: Detects a double ASCII encoding that is larger than a standard buffer.
</p>
</li>
<li>
<p>
int <strong>asn1.oversize_length</strong>: Compares ASN.1 type lengths with the supplied argument. { 0: }
</p>
</li>
<li>
<p>
implied <strong>asn1.print</strong>: &lt;&gt;max | &lt;max | &gt;min
</p>
</li>
<li>
<p>
int <strong>asn1.relative_offset</strong>: relative offset from the cursor.
</p>
</li>
<li>
<p>
int <strong>attribute_table.max_hosts</strong> = 1024: maximum number of hosts in attribute table { 32:207551 }
</p>
</li>
<li>
<p>
int <strong>attribute_table.max_metadata_services</strong> = 8: maximum number of services in rule metadata { 1:256 }
</p>
</li>
<li>
<p>
int <strong>attribute_table.max_services_per_host</strong> = 8: maximum number of services per host entry in attribute table { 1:65535 }
</p>
</li>
<li>
<p>
int <strong>base64_decode.bytes</strong>: Number of base64 encoded bytes to decode. { 1: }
</p>
</li>
<li>
<p>
int <strong>base64_decode.offset</strong> = 0: Bytes past start of buffer to start decoding. { 0: }
</p>
</li>
<li>
<p>
implied <strong>base64_decode.relative</strong>: Apply offset to cursor instead of start of buffer.
</p>
</li>
<li>
<p>
enum <strong>binder[].use.action</strong> = inspect: what to do with matching traffic { reset | block | allow | inspect }
</p>
</li>
<li>
<p>
string <strong>binder[].use.file</strong>: use configuration in given file
</p>
</li>
<li>
<p>
string <strong>binder[].use.name</strong>: symbol name (defaults to type)
</p>
</li>
<li>
<p>
string <strong>binder[].use.service</strong>: override automatic service identification
</p>
</li>
<li>
<p>
string <strong>binder[].use.type</strong>: select module for binding
</p>
</li>
<li>
<p>
bit_list <strong>binder[].when.ifaces</strong>: list of interface indices { 255 }
</p>
</li>
<li>
<p>
addr_list <strong>binder[].when.nets</strong>: list of networks
</p>
</li>
<li>
<p>
int <strong>binder[].when.policy_id</strong> = 0: unique ID for selection of this config by external logic { 0: }
</p>
</li>
<li>
<p>
bit_list <strong>binder[].when.ports</strong>: list of ports { 65535 }
</p>
</li>
<li>
<p>
enum <strong>binder[].when.proto</strong>: protocol { any | ip | icmp | tcp | udp | user | file }
</p>
</li>
<li>
<p>
enum <strong>binder[].when.role</strong> = any: use the given configuration on one or any end of a session { client | server | any }
</p>
</li>
<li>
<p>
string <strong>binder[].when.service</strong>: override default configuration
</p>
</li>
<li>
<p>
bit_list <strong>binder[].when.vlans</strong>: list of VLAN IDs { 4095 }
</p>
</li>
<li>
<p>
string <strong>bufferlen.~range</strong>: len | min&lt;&gt;max | &lt;max | &gt;min
</p>
</li>
<li>
<p>
int <strong>byte_extract.align</strong> = 0: round the number of converted bytes up to the next 2- or 4-byte boundary { 0:4 }
</p>
</li>
<li>
<p>
implied <strong>byte_extract.big</strong>: big endian
</p>
</li>
<li>
<p>
implied <strong>byte_extract.dce</strong>: dcerpc2 determines endianness
</p>
</li>
<li>
<p>
implied <strong>byte_extract.dec</strong>: convert from decimal string
</p>
</li>
<li>
<p>
implied <strong>byte_extract.hex</strong>: convert from hex string
</p>
</li>
<li>
<p>
implied <strong>byte_extract.little</strong>: little endian
</p>
</li>
<li>
<p>
int <strong>byte_extract.multiplier</strong> = 1: scale extracted value by given amount { 1:65535 }
</p>
</li>
<li>
<p>
implied <strong>byte_extract.oct</strong>: convert from octal string
</p>
</li>
<li>
<p>
implied <strong>byte_extract.relative</strong>: offset from cursor instead of start of buffer
</p>
</li>
<li>
<p>
implied <strong>byte_extract.string</strong>: convert from string
</p>
</li>
<li>
<p>
int <strong>byte_extract.~count</strong>: number of bytes to pick up from the buffer { 1:10 }
</p>
</li>
<li>
<p>
string <strong>byte_extract.~name</strong>: name of the variable that will be used in other rule options
</p>
</li>
<li>
<p>
int <strong>byte_extract.~offset</strong>: number of bytes into the buffer to start processing { -65535:65535 }
</p>
</li>
<li>
<p>
int <strong>byte_jump.align</strong> = 0: round the number of converted bytes up to the next 2- or 4-byte boundary { 0:4 }
</p>
</li>
<li>
<p>
implied <strong>byte_jump.big</strong>: big endian
</p>
</li>
<li>
<p>
implied <strong>byte_jump.dce</strong>: dcerpc2 determines endianness
</p>
</li>
<li>
<p>
implied <strong>byte_jump.dec</strong>: convert from decimal string
</p>
</li>
<li>
<p>
implied <strong>byte_jump.from_beginning</strong>: jump from start of buffer instead of cursor
</p>
</li>
<li>
<p>
implied <strong>byte_jump.hex</strong>: convert from hex string
</p>
</li>
<li>
<p>
implied <strong>byte_jump.little</strong>: little endian
</p>
</li>
<li>
<p>
int <strong>byte_jump.multiplier</strong> = 1: scale extracted value by given amount { 1:65535 }
</p>
</li>
<li>
<p>
implied <strong>byte_jump.oct</strong>: convert from octal string
</p>
</li>
<li>
<p>
int <strong>byte_jump.post_offset</strong> = 0: also skip forward or backwards (positive of negative value) this number of bytes { -65535:65535 }
</p>
</li>
<li>
<p>
implied <strong>byte_jump.relative</strong>: offset from cursor instead of start of buffer
</p>
</li>
<li>
<p>
implied <strong>byte_jump.string</strong>: convert from string
</p>
</li>
<li>
<p>
int <strong>byte_jump.~count</strong>: number of bytes to pick up from the buffer { 1:10 }
</p>
</li>
<li>
<p>
string <strong>byte_jump.~offset</strong>: variable name or number of bytes into the buffer to start processing
</p>
</li>
<li>
<p>
implied <strong>byte_test.big</strong>: big endian
</p>
</li>
<li>
<p>
implied <strong>byte_test.dce</strong>: dcerpc2 determines endianness
</p>
</li>
<li>
<p>
implied <strong>byte_test.dec</strong>: convert from decimal string
</p>
</li>
<li>
<p>
implied <strong>byte_test.hex</strong>: convert from hex string
</p>
</li>
<li>
<p>
implied <strong>byte_test.little</strong>: little endian
</p>
</li>
<li>
<p>
implied <strong>byte_test.oct</strong>: convert from octal string
</p>
</li>
<li>
<p>
implied <strong>byte_test.relative</strong>: offset from cursor instead of start of buffer
</p>
</li>
<li>
<p>
implied <strong>byte_test.string</strong>: convert from string
</p>
</li>
<li>
<p>
string <strong>byte_test.~compare</strong>: variable name or value to test the converted result against
</p>
</li>
<li>
<p>
int <strong>byte_test.~count</strong>: number of bytes to pick up from the buffer { 1:10 }
</p>
</li>
<li>
<p>
string <strong>byte_test.~offset</strong>: variable name or number of bytes into the payload to start processing
</p>
</li>
<li>
<p>
string <strong>byte_test.~operator</strong>: variable name or number of bytes into the buffer to start processing
</p>
</li>
<li>
<p>
string <strong>classifications[].name</strong>: name used with classtype rule option
</p>
</li>
<li>
<p>
int <strong>classifications[].priority</strong> = 1: default priority for class { 0: }
</p>
</li>
<li>
<p>
string <strong>classifications[].text</strong>: description of class
</p>
</li>
<li>
<p>
string <strong>classtype.~</strong>: classification for this rule
</p>
</li>
<li>
<p>
string <strong>content.depth</strong>: var or maximum number of bytes to search from beginning of buffer
</p>
</li>
<li>
<p>
string <strong>content.distance</strong>: var or number of bytes from cursor to start search
</p>
</li>
<li>
<p>
implied <strong>content.fast_pattern</strong>: use this content in the fast pattern matcher instead of the content selected by default
</p>
</li>
<li>
<p>
int <strong>content.fast_pattern_length</strong>: maximum number of characters from this content the fast pattern matcher should use { 1: }
</p>
</li>
<li>
<p>
int <strong>content.fast_pattern_offset</strong> = 0: number of leading characters of this content the fast pattern matcher should exclude { 0: }
</p>
</li>
<li>
<p>
implied <strong>content.nocase</strong>: case insensitive match
</p>
</li>
<li>
<p>
string <strong>content.offset</strong>: var or number of bytes from start of buffer to start search
</p>
</li>
<li>
<p>
string <strong>content.within</strong>: var or maximum number of bytes to search from cursor
</p>
</li>
<li>
<p>
string <strong>content.~data</strong>: data to match
</p>
</li>
<li>
<p>
implied <strong>cvs.invalid-entry</strong>: looks for an invalid Entry string
</p>
</li>
<li>
<p>
bool <strong>daq.decode_data_link</strong> = false: display the second layer header info
</p>
</li>
<li>
<p>
string <strong>daq.dir</strong>: directory where to search for DAQ plugins
</p>
</li>
<li>
<p>
select <strong>daq.mode</strong>: set mode of operation { passive | inline | read-file }
</p>
</li>
<li>
<p>
bool <strong>daq.no_promisc</strong> = false: whether to put DAQ device into promiscuous mode
</p>
</li>
<li>
<p>
int <strong>daq.snaplen</strong> = deflt: set snap length (same as -P) { 0:65535 }
</p>
</li>
<li>
<p>
string <strong>daq.type</strong>: select type of DAQ
</p>
</li>
<li>
<p>
string <strong>daq.vars</strong>: comma separated list of name=value DAQ-specific parameters
</p>
</li>
<li>
<p>
string <strong>data_log.key</strong> = http_uri: name of data buffer to log
</p>
</li>
<li>
<p>
int <strong>detection.asn1</strong> = 256: maximum decode nodes { 1: }
</p>
</li>
<li>
<p>
bool <strong>detection.pcre_enable</strong> = true: disable pcre pattern matching
</p>
</li>
<li>
<p>
int <strong>detection.pcre_match_limit</strong> = 1500: limit pcre backtracking, -1 = max, 0 = off { -1:1000000 }
</p>
</li>
<li>
<p>
int <strong>detection.pcre_match_limit_recursion</strong> = 1500: limit pcre stack consumption, -1 = max, 0 = off { -1:10000 }
</p>
</li>
<li>
<p>
int <strong>detection_filter.count</strong>: hits in interval before allowing the rule to fire { 1: }
</p>
</li>
<li>
<p>
int <strong>detection_filter.seconds</strong>: length of interval to count hits { 1: }
</p>
</li>
<li>
<p>
enum <strong>detection_filter.track</strong>: track hits by source or destination IP address { by_src | by_dst }
</p>
</li>
<li>
<p>
int <strong>dpx.max</strong> = 0: maximum payload before alert { 0:65535 }
</p>
</li>
<li>
<p>
port <strong>dpx.port</strong>: port to check
</p>
</li>
<li>
<p>
string <strong>dsize.~range</strong>: check if packet payload size is <em>size | min&lt;&gt;max | &lt;max | &gt;min</em>
</p>
</li>
<li>
<p>
bool <strong>esp.decode_esp</strong> = false: enable for inspection of esp traffic that has authentication but not encryption
</p>
</li>
<li>
<p>
int <strong>event_filter[].count</strong> = 0: number of events in interval before tripping; -1 to disable { -1: }
</p>
</li>
<li>
<p>
int <strong>event_filter[].gid</strong> = 1: rule generator ID { 0: }
</p>
</li>
<li>
<p>
string <strong>event_filter[].ip</strong>: restrict filter to these addresses according to track
</p>
</li>
<li>
<p>
int <strong>event_filter[].seconds</strong> = 0: count interval { 0: }
</p>
</li>
<li>
<p>
int <strong>event_filter[].sid</strong> = 1: rule signature ID { 0: }
</p>
</li>
<li>
<p>
enum <strong>event_filter[].track</strong>: filter only matching source or destination addresses { by_src | by_dst }
</p>
</li>
<li>
<p>
enum <strong>event_filter[].type</strong>: 1st count events | every count events | once after count events { limit | threshold | both }
</p>
</li>
<li>
<p>
int <strong>event_queue.log</strong> = 3: maximum events to log { 1: }
</p>
</li>
<li>
<p>
int <strong>event_queue.max_queue</strong> = 8: maximum events to queue { 1: }
</p>
</li>
<li>
<p>
enum <strong>event_queue.order_events</strong> = content_length: criteria for ordering incoming events { priority|content_length }
</p>
</li>
<li>
<p>
bool <strong>event_queue.process_all_events</strong> = false: process just first action group or all action groups
</p>
</li>
<li>
<p>
int <strong>file_id.block_timeout</strong> = 86400: stop blocking after this many seconds { 0: }
</p>
</li>
<li>
<p>
bool <strong>file_id.block_timeout_lookup</strong> = false: block if lookup times out
</p>
</li>
<li>
<p>
bool <strong>file_id.enable_capture</strong> = false: enable file capture
</p>
</li>
<li>
<p>
bool <strong>file_id.enable_signature</strong> = false: enable signature calculation
</p>
</li>
<li>
<p>
bool <strong>file_id.enable_type</strong> = false: enable type ID
</p>
</li>
<li>
<p>
string <strong>file_id.file_rules[].category</strong>: file type category
</p>
</li>
<li>
<p>
int <strong>file_id.file_rules[].id</strong> = 0: file type id { 0: }
</p>
</li>
<li>
<p>
string <strong>file_id.file_rules[].magic[].content</strong>: file magic content
</p>
</li>
<li>
<p>
int <strong>file_id.file_rules[].magic[].offset</strong> = 0: file magic offset { 0: }
</p>
</li>
<li>
<p>
string <strong>file_id.file_rules[].msg</strong>: information about the file type
</p>
</li>
<li>
<p>
int <strong>file_id.file_rules[].rev</strong> = 0: rule revision { 0: }
</p>
</li>
<li>
<p>
string <strong>file_id.file_rules[].type</strong>: file type name
</p>
</li>
<li>
<p>
string <strong>file_id.file_rules[].version</strong>: file type version
</p>
</li>
<li>
<p>
int <strong>file_id.lookup_timeout</strong> = 2: give up on lookup after this many seconds { 0: }
</p>
</li>
<li>
<p>
int <strong>file_id.show_data_depth</strong> = 100: print this many octets { 0: }
</p>
</li>
<li>
<p>
int <strong>file_id.signature_depth</strong> = 10485760: stop signature at this point { 0: }
</p>
</li>
<li>
<p>
bool <strong>file_id.trace_signature</strong> = false: enable runtime dump of signature info
</p>
</li>
<li>
<p>
bool <strong>file_id.trace_stream</strong> = false: enable runtime dump of file data
</p>
</li>
<li>
<p>
bool <strong>file_id.trace_type</strong> = false: enable runtime dump of type info
</p>
</li>
<li>
<p>
int <strong>file_id.type_depth</strong> = 1460: stop type ID at this point { 0: }
</p>
</li>
<li>
<p>
string <strong>flags.~mask_flags</strong>: these flags are don&#8217;t cares
</p>
</li>
<li>
<p>
string <strong>flags.~test_flags</strong>: these flags are tested
</p>
</li>
<li>
<p>
implied <strong>flow.established</strong>: match only during data transfer phase
</p>
</li>
<li>
<p>
implied <strong>flow.from_client</strong>: same as to_server
</p>
</li>
<li>
<p>
implied <strong>flow.from_server</strong>: same as to_client
</p>
</li>
<li>
<p>
implied <strong>flow.no_frag</strong>: match on raw packets only
</p>
</li>
<li>
<p>
implied <strong>flow.no_stream</strong>: match on raw packets only
</p>
</li>
<li>
<p>
implied <strong>flow.not_established</strong>: match only outside data transfer phase
</p>
</li>
<li>
<p>
implied <strong>flow.only_frag</strong>: match on defragmented packets only
</p>
</li>
<li>
<p>
implied <strong>flow.only_stream</strong>: match on reassembled packets only
</p>
</li>
<li>
<p>
implied <strong>flow.stateless</strong>: match regardless of stream state
</p>
</li>
<li>
<p>
implied <strong>flow.to_client</strong>: match on server responses
</p>
</li>
<li>
<p>
implied <strong>flow.to_server</strong>: match on client requests
</p>
</li>
<li>
<p>
string <strong>flowbits.~arg1</strong>: bits or group
</p>
</li>
<li>
<p>
string <strong>flowbits.~arg2</strong>: group if arg1 is bits
</p>
</li>
<li>
<p>
string <strong>flowbits.~command</strong>: set|reset|isset|etc.
</p>
</li>
<li>
<p>
string <strong>fragbits.~flags</strong>: these flags are tested
</p>
</li>
<li>
<p>
string <strong>fragoffset.~range</strong>: check if packet payload size is <em>size | min&lt;&gt;max | &lt;max | &gt;min</em>
</p>
</li>
<li>
<p>
bool <strong>ftp_client.bounce</strong> = false: check for bounces
</p>
</li>
<li>
<p>
addr <strong>ftp_client.bounce_to[].address</strong> = 1.0.0.0/32: allowed ip address in CIDR format
</p>
</li>
<li>
<p>
port <strong>ftp_client.bounce_to[].last_port</strong>: optional allowed range from port to last_port inclusive { 0: }
</p>
</li>
<li>
<p>
port <strong>ftp_client.bounce_to[].port</strong> = 20: allowed port { 1: }
</p>
</li>
<li>
<p>
bool <strong>ftp_client.ignore_telnet_erase_cmds</strong> = false: ignore erase character and erase line commands when normalizing
</p>
</li>
<li>
<p>
int <strong>ftp_client.max_resp_len</strong> = -1: maximum ftp response accepted by client { -1: }
</p>
</li>
<li>
<p>
bool <strong>ftp_client.telnet_cmds</strong> = false: detect telnet escape sequences on ftp control channel
</p>
</li>
<li>
<p>
bool <strong>ftp_server.check_encrypted</strong> = false: check for end of encryption
</p>
</li>
<li>
<p>
string <strong>ftp_server.chk_str_fmt</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
string <strong>ftp_server.cmd_validity[].command</strong>: command string
</p>
</li>
<li>
<p>
string <strong>ftp_server.cmd_validity[].format</strong>: format specification
</p>
</li>
<li>
<p>
int <strong>ftp_server.cmd_validity[].length</strong> = 0: specify non-default maximum for command { 0: }
</p>
</li>
<li>
<p>
string <strong>ftp_server.data_chan_cmds</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
string <strong>ftp_server.data_xfer_cmds</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
int <strong>ftp_server.def_max_param_len</strong> = 100: default maximum length of commands handled by server; 0 is unlimited { 1: }
</p>
</li>
<li>
<p>
string <strong>ftp_server.directory_cmds[].dir_cmd</strong>: directory command
</p>
</li>
<li>
<p>
int <strong>ftp_server.directory_cmds[].rsp_code</strong> = 200: expected successful response code for command { 200: }
</p>
</li>
<li>
<p>
string <strong>ftp_server.encr_cmds</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
bool <strong>ftp_server.encrypted_traffic</strong> = false: check for encrypted telnet and ftp
</p>
</li>
<li>
<p>
string <strong>ftp_server.file_get_cmds</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
string <strong>ftp_server.file_put_cmds</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
string <strong>ftp_server.ftp_cmds</strong>: specify additional commands supported by server beyond RFC 959
</p>
</li>
<li>
<p>
bool <strong>ftp_server.ignore_data_chan</strong> = false: do not inspect ftp data channels
</p>
</li>
<li>
<p>
bool <strong>ftp_server.ignore_telnet_erase_cmds</strong> = false: ignore erase character and erase line commands when normalizing
</p>
</li>
<li>
<p>
string <strong>ftp_server.login_cmds</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
bool <strong>ftp_server.print_cmds</strong> = false: print command configurations on start up
</p>
</li>
<li>
<p>
bool <strong>ftp_server.telnet_cmds</strong> = false: detect telnet escape sequences of ftp control channel
</p>
</li>
<li>
<p>
int <strong>gid.~</strong>: generator id { 1: }
</p>
</li>
<li>
<p>
string <strong>gtp_info.~</strong>: info element to match
</p>
</li>
<li>
<p>
int <strong>gtp_inspect[].infos[].length</strong> = 0: information element type code { 0:255 }
</p>
</li>
<li>
<p>
string <strong>gtp_inspect[].infos[].name</strong>: information element name
</p>
</li>
<li>
<p>
int <strong>gtp_inspect[].infos[].type</strong> = 0: information element type code { 0:255 }
</p>
</li>
<li>
<p>
string <strong>gtp_inspect[].messages[].name</strong>: message name
</p>
</li>
<li>
<p>
int <strong>gtp_inspect[].messages[].type</strong> = 0: message type code { 0:255 }
</p>
</li>
<li>
<p>
int <strong>gtp_inspect[].version</strong> = 2: gtp version { 0:2 }
</p>
</li>
<li>
<p>
string <strong>gtp_type.~</strong>: list of types to match
</p>
</li>
<li>
<p>
int <strong>gtp_version.~</strong>: version to match { 0:2 }
</p>
</li>
<li>
<p>
enum <strong>hosts[].frag_policy</strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }
</p>
</li>
<li>
<p>
addr <strong>hosts[].ip</strong> = 0.0.0.0/32: hosts address / cidr
</p>
</li>
<li>
<p>
string <strong>hosts[].services[].name</strong>: service identifier
</p>
</li>
<li>
<p>
port <strong>hosts[].services[].port</strong>: port number
</p>
</li>
<li>
<p>
enum <strong>hosts[].services[].proto</strong> = tcp: ip protocol { tcp | udp }
</p>
</li>
<li>
<p>
enum <strong>hosts[].tcp_policy</strong>: tcp reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }
</p>
</li>
<li>
<p>
int <strong>http_global.compress_depth</strong> = 65535: maximum amount of packet payload to decompress { 1:65535 }
</p>
</li>
<li>
<p>
int <strong>http_global.decode.b64_decode_depth</strong> = 0: single packet decode depth { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>http_global.decode.bitenc_decode_depth</strong> = 0: single packet decode depth { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>http_global.decode.max_mime_mem</strong> = 838860: single packet decode depth { 3276: }
</p>
</li>
<li>
<p>
int <strong>http_global.decode.qp_decode_depth</strong> = 0: single packet decode depth { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>http_global.decode.uu_decode_depth</strong> = 0: single packet decode depth { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>http_global.decompress_depth</strong> = 65535: maximum amount of decompressed data to process { 1:65535 }
</p>
</li>
<li>
<p>
bool <strong>http_global.detect_anomalous_servers</strong> = false: inspect non-configured ports for HTTP - bad idea
</p>
</li>
<li>
<p>
int <strong>http_global.max_gzip_mem</strong> = 838860: total memory used for decompression across all active sessions { 3276: }
</p>
</li>
<li>
<p>
int <strong>http_global.memcap</strong> = 150994944: limit of memory used for logging extra data { 2304: }
</p>
</li>
<li>
<p>
bool <strong>http_global.proxy_alert</strong> = false: alert on proxy usage for servers without allow_proxy_use
</p>
</li>
<li>
<p>
int <strong>http_global.unicode_map.code_page</strong> = 1252: select code page in map file { 0: }
</p>
</li>
<li>
<p>
string <strong>http_global.unicode_map.map_file</strong>: unicode map file
</p>
</li>
<li>
<p>
string <strong>http_header.~name</strong>: restrict to given header
</p>
</li>
<li>
<p>
bool <strong>http_inspect.allow_proxy_use</strong> = false: don&#8217;t alert on proxy use for this server
</p>
</li>
<li>
<p>
bool <strong>http_inspect.decompress_pdf</strong> = false: enable decompression of the compressed portions of PDF files
</p>
</li>
<li>
<p>
bool <strong>http_inspect.decompress_swf</strong> = false: enable decompression of SWF (Adobe Flash content)
</p>
</li>
<li>
<p>
bool <strong>http_inspect.enable_cookies</strong> = true: extract cookies
</p>
</li>
<li>
<p>
bool <strong>http_inspect.enable_xff</strong> = false: log True-Client-IP and X-Forwarded-For headers with unified2 alerts as extra data
</p>
</li>
<li>
<p>
bool <strong>http_inspect.extended_ascii_uri</strong> = false: allow extended ASCII codes in the request URI
</p>
</li>
<li>
<p>
bool <strong>http_inspect.extended_response_inspection</strong> = true: extract response headers
</p>
</li>
<li>
<p>
string <strong>http_inspect.http_methods</strong> = GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA: request methods allowed in addition to GET and POST
</p>
</li>
<li>
<p>
bool <strong>http_inspect.inspect_gzip</strong> = true: enable gzip decompression of compressed bodies
</p>
</li>
<li>
<p>
bool <strong>http_inspect.inspect_uri_only</strong> = false: disable all detection except for uricontent
</p>
</li>
<li>
<p>
bool <strong>http_inspect.log_hostname</strong> = false: enable logging of Hostname with unified2 alerts as extra data
</p>
</li>
<li>
<p>
bool <strong>http_inspect.log_uri</strong> = false: enable logging of URI with unified2 alerts as extra data
</p>
</li>
<li>
<p>
bool <strong>http_inspect.no_pipeline_req</strong> = false: don&#8217;t inspect pipelined requests after first (still does general detection)
</p>
</li>
<li>
<p>
bit_list <strong>http_inspect.non_rfc_chars</strong> = 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07: alert on given non-RFC chars being present in the URI { 255 }
</p>
</li>
<li>
<p>
bool <strong>http_inspect.normalize_cookies</strong> = false: normalize cookies similar to URI
</p>
</li>
<li>
<p>
bool <strong>http_inspect.normalize_headers</strong> = false: normalize headers other than cookie similar to URI
</p>
</li>
<li>
<p>
int <strong>http_inspect.oversize_dir_length</strong> = 500: alert if a URL has a directory longer than this limit { 0: }
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.apache_whitespace</strong> = false: don&#8217;t alert if tab is used in lieu of space characters
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.ascii</strong> = false: enable decoding ASCII like %2f to /
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.bare_byte</strong> = false: decode non-standard, non-ASCII character encodings
</p>
</li>
<li>
<p>
int <strong>http_inspect.profile.chunk_length</strong> = 500000: alert on chunk lengths greater than specified { 1: }
</p>
</li>
<li>
<p>
int <strong>http_inspect.profile.client_flow_depth</strong> = 0: raw request payload to inspect { -1:1460 }
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.directory</strong> = false: normalize . and .. sequences out of URI
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.double_decode</strong> = false: iis specific extra decoding
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.iis_backslash</strong> = false: normalize directory slashes
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.iis_delimiter</strong> = false: allow use of non-standard delimiter
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.iis_unicode</strong> = false: enable unicode code point mapping using unicode_map settings
</p>
</li>
<li>
<p>
int <strong>http_inspect.profile.iis_unicode_map.code_page</strong> = 1252: select code page in map file { 0: }
</p>
</li>
<li>
<p>
string <strong>http_inspect.profile.iis_unicode_map.map_file</strong>: unicode map file
</p>
</li>
<li>
<p>
int <strong>http_inspect.profile.max_header_length</strong> = 750: maximum allowed client request header field { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>http_inspect.profile.max_headers</strong> = 100: maximum allowed client request headers { 0:1024 }
</p>
</li>
<li>
<p>
int <strong>http_inspect.profile.max_javascript_whitespaces</strong> = 200: maximum number of consecutive whitespaces { 0: }
</p>
</li>
<li>
<p>
int <strong>http_inspect.profile.max_spaces</strong> = 200: maximum allowed whitespaces when folding { 0:65535 }
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.multi_slash</strong> = false: normalize out consecutive slashes in URI
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.non_strict</strong> = true: allows HTTP 0.9 processing
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.normalize_javascript</strong> = true: normalize javascript between &lt;script&gt; tags
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.normalize_utf</strong> = true: normalize response bodies with UTF content-types
</p>
</li>
<li>
<p>
int <strong>http_inspect.profile.post_depth</strong> = 65495: amount of POST data to inspect { -1:65535 }
</p>
</li>
<li>
<p>
enum <strong>http_inspect.profile.profile_type</strong> = default: set defaults appropriate for selected server { default | apache | iis | iis_40 | iis_50 }
</p>
</li>
<li>
<p>
int <strong>http_inspect.profile.server_flow_depth</strong> = 0: response payload to inspect; includes headers with extended_response_inspection { -1:65535 }
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.u_encode</strong> = true: decode %uXXXX character sequences
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.utf_8</strong> = false: decode UTF-8 unicode sequences in URI
</p>
</li>
<li>
<p>
bool <strong>http_inspect.profile.webroot</strong> = false: alert on directory traversals past the top level (web server root)
</p>
</li>
<li>
<p>
bit_list <strong>http_inspect.profile.whitespace_chars</strong>: allowed white space characters { 255 }
</p>
</li>
<li>
<p>
int <strong>http_inspect.small_chunk_count</strong> = 5: alert if more than this limit of consecutive chunks are below small_chunk_length { 0:255 }
</p>
</li>
<li>
<p>
int <strong>http_inspect.small_chunk_length</strong> = 10: alert if more than small_chunk_count consecutive chunks below this limit { 0:255 }
</p>
</li>
<li>
<p>
bool <strong>http_inspect.tab_uri_delimiter</strong> = false: whether a tab not preceded by a space is considered a delimiter or part of URI
</p>
</li>
<li>
<p>
bool <strong>http_inspect.unlimited_decompress</strong> = true: decompress across multiple packets
</p>
</li>
<li>
<p>
bool <strong>http_inspect.xff_headers</strong> = false: not implemented
</p>
</li>
<li>
<p>
string <strong>icmp_id.~range</strong>: check if icmp id is <em>id | min&lt;&gt;max | &lt;max | &gt;min</em>
</p>
</li>
<li>
<p>
string <strong>icmp_seq.~range</strong>: check if icmp sequence number is <em>seq | min&lt;&gt;max | &lt;max | &gt;min</em>
</p>
</li>
<li>
<p>
string <strong>icode.~range</strong>: check if ICMP code is <em>code | min&lt;&gt;max | &lt;max | &gt;min</em>
</p>
</li>
<li>
<p>
string <strong>id.~range</strong>: check if the IP ID is <em>id | min&lt;&gt;max | &lt;max | &gt;min</em>
</p>
</li>
<li>
<p>
int <strong>imap.b64_decode_depth</strong> = 1460:  base64 decoding depth { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>imap.bitenc_decode_depth</strong> = 1460:  Non-Encoded MIME attachment extraction depth { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>imap.qp_decode_depth</strong> = 1460:  Quoted Printable decoding depth { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>imap.uu_decode_depth</strong> = 1460:  Unix-to-Unix decoding depth { -1:65535 }
</p>
</li>
<li>
<p>
string <strong>ip_proto.~proto</strong>: [!|&gt;|&lt;] name or number
</p>
</li>
<li>
<p>
select <strong>ipopts.~opt</strong>: output format { rr|eol|nop|ts|sec|esec|lsrr|lsrre|ssrr|satid|any }
</p>
</li>
<li>
<p>
bool <strong>ips.enable_builtin_rules</strong> = false: enable events from builtin rules w/o stubs
</p>
</li>
<li>
<p>
int <strong>ips.id</strong> = 0: correlate unified2 events with configuration { 0:65535 }
</p>
</li>
<li>
<p>
string <strong>ips.include</strong>: legacy snort rules and includes
</p>
</li>
<li>
<p>
enum <strong>ips.mode</strong>: set policy mode { tap | inline | inline-test }
</p>
</li>
<li>
<p>
string <strong>ips.rules</strong>: snort rules and includes
</p>
</li>
<li>
<p>
implied <strong>isdataat.relative</strong>: offset from cursor instead of start of buffer
</p>
</li>
<li>
<p>
string <strong>isdataat.~length</strong>: num | !num
</p>
</li>
<li>
<p>
string <strong>itype.~range</strong>: check if icmp type is <em>type | min&lt;&gt;max | &lt;max | &gt;min</em>
</p>
</li>
<li>
<p>
bool <strong>log_codecs.file</strong> = false: output to log_codecs.txt instead of stdout
</p>
</li>
<li>
<p>
bool <strong>log_codecs.msg</strong> = false: include alert msg
</p>
</li>
<li>
<p>
bool <strong>log_hext.file</strong> = false: output to log_hext.txt instead of stdout
</p>
</li>
<li>
<p>
int <strong>log_hext.limit</strong> = 0: set limit (0 is unlimited) { 0: }
</p>
</li>
<li>
<p>
bool <strong>log_hext.raw</strong> = false: output all full packets if true, else just TCP payload
</p>
</li>
<li>
<p>
enum <strong>log_hext.units</strong> = B: bytes | KB | MB | GB { B | K | M | G }
</p>
</li>
<li>
<p>
int <strong>log_hext.width</strong> = 20: set line width (0 is unlimited) { 0: }
</p>
</li>
<li>
<p>
int <strong>log_pcap.limit</strong> = 0: set limit (0 is unlimited) { 0: }
</p>
</li>
<li>
<p>
enum <strong>log_pcap.units</strong> = B: bytes | KB | MB | GB { B | K | M | G }
</p>
</li>
<li>
<p>
string <strong>lowmem_q.var</strong>: additional print text
</p>
</li>
<li>
<p>
int <strong>md5.length</strong>: number of octets in plain text { 1:65535 }
</p>
</li>
<li>
<p>
string <strong>md5.offset</strong>: var or number of bytes from start of buffer to start search
</p>
</li>
<li>
<p>
implied <strong>md5.relative</strong> = false: offset from cursor instead of start of buffer
</p>
</li>
<li>
<p>
string <strong>md5.~hash</strong>: data to match
</p>
</li>
<li>
<p>
string <strong>metadata.</strong>*: additional parameters not used by snort
</p>
</li>
<li>
<p>
string <strong>metadata.service</strong>: service name
</p>
</li>
<li>
<p>
string <strong>modbus_func.~</strong>: function code to match
</p>
</li>
<li>
<p>
int <strong>modbus_unit.~</strong>: modbus unit ID { 0:255 }
</p>
</li>
<li>
<p>
bool <strong>mpls.enable_mpls_multicast</strong> = false: enables support for MPLS multicast
</p>
</li>
<li>
<p>
bool <strong>mpls.enable_mpls_overlapping_ip</strong> = false: enable if private network addresses overlap and must be differentiated by MPLS label(s)
</p>
</li>
<li>
<p>
int <strong>mpls.max_mpls_stack_depth</strong> = -1: set MPLS stack depth { -1: }
</p>
</li>
<li>
<p>
enum <strong>mpls.mpls_payload_type</strong> = ip4: set encapsulated payload type { eth | ip4 | ip6 }
</p>
</li>
<li>
<p>
string <strong>msg.~</strong>: message describing rule
</p>
</li>
<li>
<p>
multi <strong>network.checksum_drop</strong> = none: drop if checksum is bad { all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }
</p>
</li>
<li>
<p>
multi <strong>network.checksum_eval</strong> = none: checksums to verify { all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }
</p>
</li>
<li>
<p>
bool <strong>network.decode_drops</strong> = false: enable dropping of packets by the decoder
</p>
</li>
<li>
<p>
int <strong>network.id</strong> = 0: correlate unified2 events with configuration { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>network.layers</strong> = 40: The maximum number of protocols that Snort can correctly decode { 3:255 }
</p>
</li>
<li>
<p>
int <strong>network.max_ip6_extensions</strong> = 0: The number of IP6 options Snort will process for a given IPv6 layer. If this limit is hit, rule 116:456 may fire.  0 = unlimited { 0:255 }
</p>
</li>
<li>
<p>
int <strong>network.max_ip_layers</strong> = 0: The maximum number of IP layers Snort will process for a given packet If this limit is hit, rule 116:293 may fire.  0 = unlimited { 0:255 }
</p>
</li>
<li>
<p>
int <strong>network.min_ttl</strong> = 1: alert / normalize packets with lower ttl / hop limit (you must enable rules and / or normalization also) { 1:255 }
</p>
</li>
<li>
<p>
int <strong>network.new_ttl</strong> = 1: use this value for responses and when normalizing { 1:255 }
</p>
</li>
<li>
<p>
int <strong>new_http_inspect.print_amount</strong> = 1200: number of characters to print from a Field { 1:1000000 }
</p>
</li>
<li>
<p>
int <strong>new_http_inspect.request_depth</strong> = -1: maximum request message body bytes to examine (-1 no limit) { -1: }
</p>
</li>
<li>
<p>
int <strong>new_http_inspect.response_depth</strong> = -1: maximum response message body bytes to examine (-1 no limit) { -1: }
</p>
</li>
<li>
<p>
bool <strong>new_http_inspect.test_input</strong> = false: read HTTP messages from text file
</p>
</li>
<li>
<p>
bool <strong>new_http_inspect.test_output</strong> = false: print out HTTP section data
</p>
</li>
<li>
<p>
bool <strong>new_http_inspect.unzip</strong> = true: decompress gzip and deflate message bodies
</p>
</li>
<li>
<p>
bool <strong>normalizer.icmp4</strong> = false: clear reserved flag
</p>
</li>
<li>
<p>
bool <strong>normalizer.icmp6</strong> = false: clear reserved flag
</p>
</li>
<li>
<p>
bool <strong>normalizer.ip4.base</strong> = true: clear options
</p>
</li>
<li>
<p>
bool <strong>normalizer.ip4.df</strong> = false: clear don&#8217;t frag flag
</p>
</li>
<li>
<p>
bool <strong>normalizer.ip4.rf</strong> = false: clear reserved flag
</p>
</li>
<li>
<p>
bool <strong>normalizer.ip4.tos</strong> = false: clear tos / differentiated services byte
</p>
</li>
<li>
<p>
bool <strong>normalizer.ip4.trim</strong> = false: truncate excess payload beyond datagram length
</p>
</li>
<li>
<p>
bool <strong>normalizer.ip6</strong> = false: clear reserved flag
</p>
</li>
<li>
<p>
string <strong>normalizer.tcp.allow_codes</strong>: don&#8217;t clear given option codes
</p>
</li>
<li>
<p>
multi <strong>normalizer.tcp.allow_names</strong>: don&#8217;t clear given option names { sack | echo | partial_order | conn_count | alt_checksum | md5 }
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.base</strong> = true: clear reserved bits and option padding and fix urgent pointer / flags issues
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.block</strong> = true: allow packet drops during TCP normalization
</p>
</li>
<li>
<p>
select <strong>normalizer.tcp.ecn</strong> = off: clear ecn for all packets | sessions w/o ecn setup { off | packet | stream }
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.ips</strong> = false: ensure consistency in retransmitted data
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.opts</strong> = true: clear all options except mss, wscale, timestamp, and any explicitly allowed
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.pad</strong> = true: clear any option padding bytes
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.req_pay</strong> = true: clear the urgent pointer and the urgent flag if there is no payload
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.req_urg</strong> = true: clear the urgent pointer if the urgent flag is not set
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.req_urp</strong> = true: clear the urgent flag if the urgent pointer is not set
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.rsv</strong> = true: clear the reserved bits in the TCP header
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.trim</strong> = false: enable all of the TCP trim options
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.trim_mss</strong> = false: trim data to MSS
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.trim_rst</strong> = false: remove any data from RST packet
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.trim_syn</strong> = false: remove data on SYN
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.trim_win</strong> = false: trim data to window
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.urp</strong> = true: adjust urgent pointer if beyond segment length
</p>
</li>
<li>
<p>
bool <strong>output.dump_chars_only</strong> = false: turns on character dumps (same as -C)
</p>
</li>
<li>
<p>
bool <strong>output.dump_payload</strong> = false: dumps application layer (same as -d)
</p>
</li>
<li>
<p>
bool <strong>output.dump_payload_verbose</strong> = false: dumps raw packet starting at link layer (same as -X)
</p>
</li>
<li>
<p>
int <strong>output.event_trace.max_data</strong> = 0: maximum amount of packet data to capture { 0:65535 }
</p>
</li>
<li>
<p>
bool <strong>output.log_ipv6_extra_data</strong> = false: log IPv6 source and destination addresses as unified2 extra data records
</p>
</li>
<li>
<p>
string <strong>output.logdir</strong> = .: where to put log files (same as -l)
</p>
</li>
<li>
<p>
bool <strong>output.obfuscate</strong> = false: obfuscate the logged IP addresses (same as -O)
</p>
</li>
<li>
<p>
bool <strong>output.quiet</strong> = false: suppress non-fatal information (still show alerts, same as -q)
</p>
</li>
<li>
<p>
bool <strong>output.show_year</strong> = false: include year in timestamp in the alert and log files (same as -y)
</p>
</li>
<li>
<p>
int <strong>output.tagged_packet_limit</strong> = 256: maximum number of packets tagged for non-packet metrics { 0: }
</p>
</li>
<li>
<p>
bool <strong>output.verbose</strong> = false: be verbose (same as -v)
</p>
</li>
<li>
<p>
bool <strong>packets.address_space_agnostic</strong> = false: determines whether DAQ address space info is used to track fragments and connections
</p>
</li>
<li>
<p>
string <strong>packets.bpf_file</strong>: file with BPF to select traffic for Snort
</p>
</li>
<li>
<p>
bool <strong>packets.enable_inline_init_failopen</strong> = true: whether to pass traffic during later stage of initialization to avoid drops
</p>
</li>
<li>
<p>
int <strong>packets.limit</strong> = 0: maximum number of packets to process before stopping (0 is unlimited) { 0: }
</p>
</li>
<li>
<p>
int <strong>packets.skip</strong> = 0: number of packets to skip before before processing { 0: }
</p>
</li>
<li>
<p>
bool <strong>packets.vlan_agnostic</strong> = false: determines whether VLAN info is used to track fragments and connections
</p>
</li>
<li>
<p>
string <strong>pcre.~regex</strong>: Snort regular expression
</p>
</li>
<li>
<p>
bool <strong>perf_monitor.console</strong> = false: output to console
</p>
</li>
<li>
<p>
bool <strong>perf_monitor.events</strong> = false: report on qualified vs non-qualified events
</p>
</li>
<li>
<p>
bool <strong>perf_monitor.file</strong> = false: output base stats to perf_monitor.csv instead of stdout
</p>
</li>
<li>
<p>
bool <strong>perf_monitor.flow</strong> = false: enable traffic statistics
</p>
</li>
<li>
<p>
bool <strong>perf_monitor.flow_file</strong> = false: output traffic statistics to a perf_monitor_flow.csv instead of stdout
</p>
</li>
<li>
<p>
bool <strong>perf_monitor.flow_ip</strong> = false: enable statistics on host pairs
</p>
</li>
<li>
<p>
bool <strong>perf_monitor.flow_ip_file</strong> = false: output host pair statistics to perf_monitor_flow_ip.csv instead of stdout
</p>
</li>
<li>
<p>
int <strong>perf_monitor.flow_ip_memcap</strong> = 52428800: maximum memory for flow tracking { 8200: }
</p>
</li>
<li>
<p>
int <strong>perf_monitor.flow_ports</strong> = 1023: maximum ports to track { 0: }
</p>
</li>
<li>
<p>
bool <strong>perf_monitor.max</strong> = false: calculate theoretical maximum performance
</p>
</li>
<li>
<p>
int <strong>perf_monitor.max_file_size</strong> = 4294967295: files will be rolled over if they exceed this size { 4096: }
</p>
</li>
<li>
<p>
int <strong>perf_monitor.packets</strong> = 10000: minim packets to report { 0: }
</p>
</li>
<li>
<p>
bool <strong>perf_monitor.reset</strong> = true: reset (clear) statistics after each reporting interval
</p>
</li>
<li>
<p>
int <strong>perf_monitor.seconds</strong> = 60: report interval; 0 means report at exit only { 0: }
</p>
</li>
<li>
<p>
string <strong>pkt_num.~range</strong>: check if packet number is in given range
</p>
</li>
<li>
<p>
int <strong>pop.b64_decode_depth</strong> = 1460:  base64 decoding depth { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>pop.bitenc_decode_depth</strong> = 1460:  Non-Encoded MIME attachment extraction depth { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>pop.qp_decode_depth</strong> = 1460:  Quoted Printable decoding depth { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>pop.uu_decode_depth</strong> = 1460:  Unix-to-Unix decoding depth { -1:65535 }
</p>
</li>
<li>
<p>
string <strong>port_scan.ignore_scanned</strong>: list of CIDRs with optional ports to ignore if the destination of scan alerts
</p>
</li>
<li>
<p>
string <strong>port_scan.ignore_scanners</strong>: list of CIDRs with optional ports to ignore if the source of scan alerts
</p>
</li>
<li>
<p>
bool <strong>port_scan.include_midstream</strong> = false: list of CIDRs with optional ports
</p>
</li>
<li>
<p>
bool <strong>port_scan.logfile</strong> = false: write scan events to file
</p>
</li>
<li>
<p>
multi <strong>port_scan.protos</strong> = all: choose the protocols to monitor { tcp | udp | icmp | ip | all }
</p>
</li>
<li>
<p>
multi <strong>port_scan.scan_types</strong> = all: choose type of scans to look for { portscan | portsweep | decoy_portscan | distributed_portscan | all }
</p>
</li>
<li>
<p>
enum <strong>port_scan.sense_level</strong> = medium: choose the level of detection { low | medium | high }
</p>
</li>
<li>
<p>
string <strong>port_scan.watch_ip</strong>: list of CIDRs with optional ports to watch
</p>
</li>
<li>
<p>
int <strong>port_scan_global.memcap</strong> = 1048576: maximum tracker memory { 1: }
</p>
</li>
<li>
<p>
int <strong>priority.~</strong>: relative severity level; 1 is highest priority { 1: }
</p>
</li>
<li>
<p>
string <strong>process.chroot</strong>: set chroot directory (same as -t)
</p>
</li>
<li>
<p>
bool <strong>process.daemon</strong> = false: fork as a daemon (same as -D)
</p>
</li>
<li>
<p>
bool <strong>process.dirty_pig</strong> = false: shutdown without internal cleanup
</p>
</li>
<li>
<p>
string <strong>process.set_gid</strong>: set group ID (same as -g)
</p>
</li>
<li>
<p>
string <strong>process.set_uid</strong>: set user ID (same as -u)
</p>
</li>
<li>
<p>
int <strong>process.threads[].cpu</strong> = 0: pin the associated source/thread to this cpu { 0:127 }
</p>
</li>
<li>
<p>
string <strong>process.threads[].source</strong>: set cpu affinity for this source (either pcap or &lt;iface&gt;
</p>
</li>
<li>
<p>
int <strong>process.threads[].thread</strong> = 0: set cpu affinity for the &lt;cur_thread_num&gt; thread that runs { 0: }
</p>
</li>
<li>
<p>
string <strong>process.umask</strong>: set process umask (same as -m)
</p>
</li>
<li>
<p>
bool <strong>process.utc</strong> = false: use UTC instead of local time for timestamps
</p>
</li>
<li>
<p>
string <strong>rate_filter[].apply_to</strong>: restrict filter to these addresses according to track
</p>
</li>
<li>
<p>
int <strong>rate_filter[].count</strong> = 1: number of events in interval before tripping { 0: }
</p>
</li>
<li>
<p>
int <strong>rate_filter[].gid</strong> = 1: rule generator ID { 0: }
</p>
</li>
<li>
<p>
select <strong>rate_filter[].new_action</strong> = alert: take this action on future hits until timeout { alert | drop | log | pass | | reject | sdrop }
</p>
</li>
<li>
<p>
int <strong>rate_filter[].seconds</strong> = 1: count interval { 0: }
</p>
</li>
<li>
<p>
int <strong>rate_filter[].sid</strong> = 1: rule signature ID { 0: }
</p>
</li>
<li>
<p>
int <strong>rate_filter[].timeout</strong> = 1: count interval { 0: }
</p>
</li>
<li>
<p>
enum <strong>rate_filter[].track</strong> = by_src: filter only matching source or destination addresses { by_src | by_dst | by_rule }
</p>
</li>
<li>
<p>
bool <strong>react.msg</strong> = false:  use rule msg in response page instead of default message
</p>
</li>
<li>
<p>
string <strong>react.page</strong>: file containing HTTP response (headers and body)
</p>
</li>
<li>
<p>
string <strong>reference.~id</strong>: reference id
</p>
</li>
<li>
<p>
string <strong>reference.~scheme</strong>: reference scheme
</p>
</li>
<li>
<p>
string <strong>references[].name</strong>: name used with reference rule option
</p>
</li>
<li>
<p>
string <strong>references[].url</strong>: where this reference is defined
</p>
</li>
<li>
<p>
enum <strong>reject.control</strong>: send icmp unreachable(s) { network|host|port|all }
</p>
</li>
<li>
<p>
enum <strong>reject.reset</strong>: send tcp reset to one or both ends { source|dest|both }
</p>
</li>
<li>
<p>
string <strong>rem.~</strong>: comment
</p>
</li>
<li>
<p>
string <strong>replace.~</strong>: byte code to replace with
</p>
</li>
<li>
<p>
int <strong>rev.~</strong>: revision { 1: }
</p>
</li>
<li>
<p>
string <strong>rpc.~app</strong>: application number
</p>
</li>
<li>
<p>
string <strong>rpc.~proc</strong>: procedure number or * for any
</p>
</li>
<li>
<p>
string <strong>rpc.~ver</strong>: version number or * for any
</p>
</li>
<li>
<p>
bool <strong>rule_state.enable</strong> = true: enable or disable rule in all policies
</p>
</li>
<li>
<p>
int <strong>rule_state.gid</strong> = 0: rule generator ID { 0: }
</p>
</li>
<li>
<p>
int <strong>rule_state.sid</strong> = 0: rule signature ID { 0: }
</p>
</li>
<li>
<p>
int <strong>search_engine.bleedover_port_limit</strong> = 1024: maximum ports in rule before demotion to any-any port group { 1: }
</p>
</li>
<li>
<p>
bool <strong>search_engine.bleedover_warnings_enabled</strong> = false: print warning if a rule is demoted to any-any port group
</p>
</li>
<li>
<p>
bool <strong>search_engine.debug</strong> = false: print verbose fast pattern info
</p>
</li>
<li>
<p>
bool <strong>search_engine.debug_print_fast_pattern</strong> = false: print fast pattern info for each rule
</p>
</li>
<li>
<p>
bool <strong>search_engine.debug_print_nocontent_rule_tests</strong> = false: print rule group info during packet evaluation
</p>
</li>
<li>
<p>
bool <strong>search_engine.debug_print_rule_group_build_details</strong> = false: print rule group info during compilation
</p>
</li>
<li>
<p>
bool <strong>search_engine.debug_print_rule_groups_compiled</strong> = false: prints compiled rule group information
</p>
</li>
<li>
<p>
bool <strong>search_engine.debug_print_rule_groups_uncompiled</strong> = false: prints uncompiled rule group information
</p>
</li>
<li>
<p>
bool <strong>search_engine.enable_single_rule_group</strong> = false: put all rules into one group
</p>
</li>
<li>
<p>
bool <strong>search_engine.inspect_stream_inserts</strong> = false: inspect reassembled payload - disabling is good for performance, bad for detection
</p>
</li>
<li>
<p>
int <strong>search_engine.max_pattern_len</strong> = 0: truncate patterns when compiling into state machine (0 means no maximum) { 0: }
</p>
</li>
<li>
<p>
int <strong>search_engine.max_queue_events</strong> = 5: maximum number of matching fast pattern states to queue per packet
</p>
</li>
<li>
<p>
dynamic <strong>search_engine.search_method</strong> = ac_bnfa_q: set fast pattern algorithm - choose available search engine { ac_banded | ac_bnfa | ac_bnfa_q | ac_full | ac_full_q | ac_sparse | ac_sparse_bands | ac_std | lowmem | lowmem_q }
</p>
</li>
<li>
<p>
bool <strong>search_engine.search_optimize</strong> = false: tweak state machine construction for better performance
</p>
</li>
<li>
<p>
bool <strong>search_engine.split_any_any</strong> = false: evaluate any-any rules separately to save memory
</p>
</li>
<li>
<p>
string <strong>seq.~range</strong>: check if packet payload size is <em>size | min&lt;&gt;max | &lt;max | &gt;min</em>
</p>
</li>
<li>
<p>
enum <strong>session.~mode</strong>: output format { printable|binary|all }
</p>
</li>
<li>
<p>
int <strong>sha256.length</strong>: number of octets in plain text { 1:65535 }
</p>
</li>
<li>
<p>
string <strong>sha256.offset</strong>: var or number of bytes from start of buffer to start search
</p>
</li>
<li>
<p>
implied <strong>sha256.relative</strong> = false: offset from cursor instead of start of buffer
</p>
</li>
<li>
<p>
string <strong>sha256.~hash</strong>: data to match
</p>
</li>
<li>
<p>
int <strong>sha512.length</strong>: number of octets in plain text { 1:65535 }
</p>
</li>
<li>
<p>
string <strong>sha512.offset</strong>: var or number of bytes from start of buffer to start search
</p>
</li>
<li>
<p>
implied <strong>sha512.relative</strong> = false: offset from cursor instead of start of buffer
</p>
</li>
<li>
<p>
string <strong>sha512.~hash</strong>: data to match
</p>
</li>
<li>
<p>
int <strong>sid.~</strong>: signature id { 1: }
</p>
</li>
<li>
<p>
bool <strong>sip.ignore_call_channel</strong> = false: enables the support for ignoring audio/video data channel
</p>
</li>
<li>
<p>
int <strong>sip.max_call_id_len</strong> = 256: maximum call id field size { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>sip.max_contact_len</strong> = 256: maximum contact field size { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>sip.max_content_len</strong> = 1024: maximum content length of the message body { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>sip.max_dialogs</strong> = 4: maximum number of dialogs within one stream session { 1:4194303 }
</p>
</li>
<li>
<p>
int <strong>sip.max_from_len</strong> = 256: maximum from field size { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>sip.max_requestName_len</strong> = 20: maximum request name field size { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>sip.max_sessions</strong> = 10000: maximum number of sessions that can be allocated { 1024:4194303 }
</p>
</li>
<li>
<p>
int <strong>sip.max_to_len</strong> = 256: maximum to field size { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>sip.max_uri_len</strong> = 256: maximum request uri field size { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>sip.max_via_len</strong> = 1024: maximum via field size { 0:65535 }
</p>
</li>
<li>
<p>
string <strong>sip.methods</strong> = invite cancel ack  bye register options: list of methods to check in sip messages
</p>
</li>
<li>
<p>
string <strong>sip_method.*method</strong>: sip method
</p>
</li>
<li>
<p>
int <strong>sip_stat_code.*code</strong>: stat code { 1:999 }
</p>
</li>
<li>
<p>
string <strong>smtp.alt_max_command_line_len[].command</strong>: command string
</p>
</li>
<li>
<p>
int <strong>smtp.alt_max_command_line_len[].length</strong> = 0: specify non-default maximum for command { 0: }
</p>
</li>
<li>
<p>
string <strong>smtp.auth_cmds</strong>: commands that initiate an authentication exchange
</p>
</li>
<li>
<p>
int <strong>smtp.b64_decode_depth</strong> = 25: depth used to decode the base64 encoded MIME attachments { -1:65535 }
</p>
</li>
<li>
<p>
string <strong>smtp.binary_data_cmds</strong>: commands that initiate sending of data and use a length value after the command
</p>
</li>
<li>
<p>
int <strong>smtp.bitenc_decode_depth</strong> = 25: depth used to extract the non-encoded MIME attachments { -1:65535 }
</p>
</li>
<li>
<p>
string <strong>smtp.data_cmds</strong>: commands that initiate sending of data with an end of data delimiter
</p>
</li>
<li>
<p>
int <strong>smtp.email_hdrs_log_depth</strong> = 1464: depth for logging email headers { 0:20480 }
</p>
</li>
<li>
<p>
bool <strong>smtp.ignore_data</strong> = false: ignore data section of mail
</p>
</li>
<li>
<p>
bool <strong>smtp.ignore_tls_data</strong> = false: ignore TLS-encrypted data when processing rules
</p>
</li>
<li>
<p>
string <strong>smtp.invalid_cmds</strong>: alert if this command is sent from client side
</p>
</li>
<li>
<p>
bool <strong>smtp.log_email_hdrs</strong> = false: log the SMTP email headers extracted from SMTP data
</p>
</li>
<li>
<p>
bool <strong>smtp.log_filename</strong> = false: log the MIME attachment filenames extracted from the Content-Disposition header within the MIME body
</p>
</li>
<li>
<p>
bool <strong>smtp.log_mailfrom</strong> = false: log the sender&#8217;s email address extracted from the MAIL FROM command
</p>
</li>
<li>
<p>
bool <strong>smtp.log_rcptto</strong> = false: log the recipient&#8217;s email address extracted from the RCPT TO command
</p>
</li>
<li>
<p>
int <strong>smtp.max_command_line_len</strong> = 0: max Command Line Length { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>smtp.max_header_line_len</strong> = 0: max SMTP DATA header line { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>smtp.max_response_line_len</strong> = 0: max SMTP response line { 0:65535 }
</p>
</li>
<li>
<p>
enum <strong>smtp.normalize</strong> = none: turns on/off normalization { none | cmds | all }
</p>
</li>
<li>
<p>
string <strong>smtp.normalize_cmds</strong>: list of commands to normalize
</p>
</li>
<li>
<p>
int <strong>smtp.qp_decode_depth</strong> = 25: quoted-Printable decoding depth { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>smtp.uu_decode_depth</strong> = 25: unix-to-Unix decoding depth { -1:65535 }
</p>
</li>
<li>
<p>
string <strong>smtp.valid_cmds</strong>: list of valid commands
</p>
</li>
<li>
<p>
enum <strong>smtp.xlink2state</strong> = alert: enable/disable xlink2state alert { disable | alert | drop }
</p>
</li>
<li>
<p>
implied <strong>snort.--alert-before-pass</strong>: process alert, drop, sdrop, or reject before pass; default is pass before alert, drop,&#8230;
</p>
</li>
<li>
<p>
string <strong>snort.--bpf</strong>: &lt;filter options&gt; are standard BPF options, as seen in TCPDump
</p>
</li>
<li>
<p>
string <strong>snort.--c2x</strong>: output hex for given char (see also --x2c)
</p>
</li>
<li>
<p>
string <strong>snort.--catch-test</strong>: comma separated list of cat unit test tags or <em>all</em>
</p>
</li>
<li>
<p>
implied <strong>snort.--create-pidfile</strong>: create PID file, even when not in Daemon mode
</p>
</li>
<li>
<p>
string <strong>snort.--daq</strong>: &lt;type&gt; select packet acquisition module (default is pcap)
</p>
</li>
<li>
<p>
string <strong>snort.--daq-dir</strong>: &lt;dir&gt; tell snort where to find desired DAQ
</p>
</li>
<li>
<p>
implied <strong>snort.--daq-list</strong>: list packet acquisition modules available in optional dir, default is static modules only
</p>
</li>
<li>
<p>
string <strong>snort.--daq-mode</strong>: &lt;mode&gt; select the DAQ operating mode
</p>
</li>
<li>
<p>
string <strong>snort.--daq-var</strong>: &lt;name=value&gt; specify extra DAQ configuration variable
</p>
</li>
<li>
<p>
implied <strong>snort.--dirty-pig</strong>: don&#8217;t flush packets on shutdown
</p>
</li>
<li>
<p>
implied <strong>snort.--dump-builtin-rules</strong>: [&lt;module prefix&gt;] output stub rules for selected modules
</p>
</li>
<li>
<p>
string <strong>snort.--dump-defaults</strong>: [&lt;module prefix&gt;] output module defaults in Lua format { (optional) }
</p>
</li>
<li>
<p>
implied <strong>snort.--dump-dynamic-rules</strong>: output stub rules for all loaded rules libraries
</p>
</li>
<li>
<p>
string <strong>snort.--dump-version</strong>: output the version, the whole version, and only the version { (optional) }
</p>
</li>
<li>
<p>
implied <strong>snort.--enable-inline-test</strong>: enable Inline-Test Mode Operation
</p>
</li>
<li>
<p>
implied <strong>snort.--help</strong>: list command line options
</p>
</li>
<li>
<p>
string <strong>snort.--help-commands</strong>: [&lt;module prefix&gt;] output matching commands { (optional) }
</p>
</li>
<li>
<p>
string <strong>snort.--help-config</strong>: [&lt;module prefix&gt;] output matching config options { (optional) }
</p>
</li>
<li>
<p>
string <strong>snort.--help-counts</strong>: [&lt;module prefix&gt;] output matching peg counts { (optional) }
</p>
</li>
<li>
<p>
string <strong>snort.--help-module</strong>: &lt;module&gt; output description of given module
</p>
</li>
<li>
<p>
implied <strong>snort.--help-modules</strong>: list all available modules with brief help
</p>
</li>
<li>
<p>
string <strong>snort.--help-options</strong>: &lt;option prefix&gt; output matching command line option quick help (same as -?) { (optional) }
</p>
</li>
<li>
<p>
implied <strong>snort.--help-plugins</strong>: list all available plugins with brief help
</p>
</li>
<li>
<p>
implied <strong>snort.--help-signals</strong>: dump available control signals
</p>
</li>
<li>
<p>
implied <strong>snort.--id-subdir</strong>: create/use instance subdirectories in logdir instead of instance filename prefix
</p>
</li>
<li>
<p>
implied <strong>snort.--id-zero</strong>: use id prefix / subdirectory even with one packet thread
</p>
</li>
<li>
<p>
implied <strong>snort.--list-buffers</strong>: output available inspection buffers
</p>
</li>
<li>
<p>
string <strong>snort.--list-builtin</strong>: &lt;module prefix&gt; output matching builtin rules { (optional) }
</p>
</li>
<li>
<p>
string <strong>snort.--list-gids</strong>: [&lt;module prefix&gt;] output matching generators { (optional) }
</p>
</li>
<li>
<p>
string <strong>snort.--list-modules</strong>: [&lt;module type&gt;] list all known modules of given type { (optional) }
</p>
</li>
<li>
<p>
implied <strong>snort.--list-plugins</strong>: list all known plugins
</p>
</li>
<li>
<p>
int <strong>snort.--logid</strong>: &lt;0xid&gt; log Identifier to uniquely id events for multiple snorts (same as -G) { 0:65535 }
</p>
</li>
<li>
<p>
string <strong>snort.--lua</strong>: &lt;chunk&gt; extend/override conf with chunk; may be repeated
</p>
</li>
<li>
<p>
implied <strong>snort.--markup</strong>: output help in asciidoc compatible format
</p>
</li>
<li>
<p>
int <strong>snort.--max-packet-threads</strong> = 1: &lt;count&gt; configure maximum number of packet threads (same as -z) { 0: }
</p>
</li>
<li>
<p>
implied <strong>snort.--nolock-pidfile</strong>: do not try to lock Snort PID file
</p>
</li>
<li>
<p>
implied <strong>snort.--nostamps</strong>: don&#8217;t include timestamps in log file names
</p>
</li>
<li>
<p>
implied <strong>snort.--pause</strong>: wait for resume/quit command before processing packets/terminating
</p>
</li>
<li>
<p>
string <strong>snort.--pcap-dir</strong>: &lt;dir&gt; a directory to recurse to look for pcaps - read mode is implied
</p>
</li>
<li>
<p>
string <strong>snort.--pcap-file</strong>: &lt;file&gt; file that contains a list of pcaps to read - read mode is implied
</p>
</li>
<li>
<p>
string <strong>snort.--pcap-filter</strong>: &lt;filter&gt; filter to apply when getting pcaps from file or directory
</p>
</li>
<li>
<p>
string <strong>snort.--pcap-list</strong>: &lt;list&gt; a space separated list of pcaps to read - read mode is implied
</p>
</li>
<li>
<p>
int <strong>snort.--pcap-loop</strong>: &lt;count&gt; read all pcaps &lt;count&gt; times;  0 will read until Snort is terminated { -1: }
</p>
</li>
<li>
<p>
implied <strong>snort.--pcap-no-filter</strong>: reset to use no filter when getting pcaps from file or directory
</p>
</li>
<li>
<p>
implied <strong>snort.--pcap-reload</strong>: if reading multiple pcaps, reload snort config between pcaps
</p>
</li>
<li>
<p>
implied <strong>snort.--pcap-show</strong>: print a line saying what pcap is currently being read
</p>
</li>
<li>
<p>
implied <strong>snort.--pedantic</strong>: warnings are fatal
</p>
</li>
<li>
<p>
implied <strong>snort.--piglet</strong>: enable piglet test harness mode
</p>
</li>
<li>
<p>
string <strong>snort.--plugin-path</strong>: &lt;path&gt; where to find plugins
</p>
</li>
<li>
<p>
implied <strong>snort.--process-all-events</strong>: process all action groups
</p>
</li>
<li>
<p>
string <strong>snort.--rule</strong>: &lt;rules&gt; to be added to configuration; may be repeated
</p>
</li>
<li>
<p>
implied <strong>snort.--rule-to-hex</strong>: output so rule header to stdout for text rule on stdin
</p>
</li>
<li>
<p>
implied <strong>snort.--rule-to-text</strong>: output plain so rule header to stdout for text rule on stdin
</p>
</li>
<li>
<p>
string <strong>snort.--run-prefix</strong>: &lt;pfx&gt; prepend this to each output file
</p>
</li>
<li>
<p>
string <strong>snort.--script-path</strong>: &lt;path&gt; to a luajit script or directory containing luajit scripts
</p>
</li>
<li>
<p>
implied <strong>snort.--shell</strong>: enable the interactive command line
</p>
</li>
<li>
<p>
implied <strong>snort.--show-plugins</strong>: list module and plugin versions
</p>
</li>
<li>
<p>
int <strong>snort.--skip</strong>: &lt;n&gt; skip 1st n packets { 0: }
</p>
</li>
<li>
<p>
int <strong>snort.--snaplen</strong> = 1514: &lt;snap&gt; set snaplen of packet (same as -s) { 68:65535 }
</p>
</li>
<li>
<p>
implied <strong>snort.--stdin-rules</strong>: read rules from stdin until EOF or a line starting with END is read
</p>
</li>
<li>
<p>
implied <strong>snort.--treat-drop-as-alert</strong>: converts drop, sdrop, and reject rules into alert rules during startup
</p>
</li>
<li>
<p>
implied <strong>snort.--treat-drop-as-ignore</strong>: use drop, sdrop, and reject rules to ignore session traffic when not inline
</p>
</li>
<li>
<p>
implied <strong>snort.--version</strong>: show version number (same as -V)
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-all</strong>: enable all warnings
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-conf</strong>: warn about configuration issues
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-daq</strong>: warn about DAQ issues, usually related to mode
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-flowbits</strong>: warn about flowbits that are checked but not set and vice-versa
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-hosts</strong>: warn about host table issues
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-plugins</strong>: warn about issues that prevent plugins from loading
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-rules</strong>: warn about duplicate rules and rule parsing issues
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-scripts</strong>: warn about issues discovered while processing Lua scripts
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-symbols</strong>: warn about unknown symbols in your Lua config
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-vars</strong>: warn about variable definition and usage issues
</p>
</li>
<li>
<p>
int <strong>snort.--x2c</strong>: output ASCII char for given hex (see also --c2x)
</p>
</li>
<li>
<p>
string <strong>snort.--x2s</strong>: output ASCII string for given byte code (see also --x2c)
</p>
</li>
<li>
<p>
string <strong>snort.-?</strong>: &lt;option prefix&gt; output matching command line option quick help (same as --help-options) { (optional) }
</p>
</li>
<li>
<p>
string <strong>snort.-A</strong>: &lt;mode&gt; set alert mode: none, cmg, or alert_*
</p>
</li>
<li>
<p>
addr <strong>snort.-B</strong> = 255.255.255.255/32: &lt;mask&gt; obfuscated IP addresses in alerts and packet dumps using CIDR mask
</p>
</li>
<li>
<p>
implied <strong>snort.-C</strong>: print out payloads with character data only (no hex)
</p>
</li>
<li>
<p>
implied <strong>snort.-D</strong>: run Snort in background (daemon) mode
</p>
</li>
<li>
<p>
int <strong>snort.-G</strong>: &lt;0xid&gt; (same as --logid) { 0:65535 }
</p>
</li>
<li>
<p>
implied <strong>snort.-H</strong>: make hash tables deterministic
</p>
</li>
<li>
<p>
string <strong>snort.-L</strong>: &lt;mode&gt; logging mode (none, dump, pcap, or log_*)
</p>
</li>
<li>
<p>
implied <strong>snort.-M</strong>: log messages to syslog (not alerts)
</p>
</li>
<li>
<p>
implied <strong>snort.-O</strong>: obfuscate the logged IP addresses
</p>
</li>
<li>
<p>
implied <strong>snort.-Q</strong>: enable inline mode operation
</p>
</li>
<li>
<p>
string <strong>snort.-R</strong>: &lt;rules&gt; include this rules file in the default policy
</p>
</li>
<li>
<p>
string <strong>snort.-S</strong>: &lt;x=v&gt; set config variable x equal to value v
</p>
</li>
<li>
<p>
implied <strong>snort.-T</strong>: test and report on the current Snort configuration
</p>
</li>
<li>
<p>
implied <strong>snort.-U</strong>: use UTC for timestamps
</p>
</li>
<li>
<p>
implied <strong>snort.-V</strong>: (same as --version)
</p>
</li>
<li>
<p>
implied <strong>snort.-W</strong>: lists available interfaces
</p>
</li>
<li>
<p>
implied <strong>snort.-X</strong>: dump the raw packet data starting at the link layer
</p>
</li>
<li>
<p>
string <strong>snort.-c</strong>: &lt;conf&gt; use this configuration
</p>
</li>
<li>
<p>
implied <strong>snort.-d</strong>: dump the Application Layer
</p>
</li>
<li>
<p>
implied <strong>snort.-e</strong>: display the second layer header info
</p>
</li>
<li>
<p>
implied <strong>snort.-f</strong>: turn off fflush() calls after binary log writes
</p>
</li>
<li>
<p>
string <strong>snort.-g</strong>: &lt;gname&gt; run snort gid as &lt;gname&gt; group (or gid) after initialization
</p>
</li>
<li>
<p>
string <strong>snort.-i</strong>: &lt;iface&gt;&#8230; list of interfaces
</p>
</li>
<li>
<p>
port <strong>snort.-j</strong>: &lt;port&gt; to listen for telnet connections
</p>
</li>
<li>
<p>
enum <strong>snort.-k</strong> = all: &lt;mode&gt; checksum mode; default is all { all|noip|notcp|noudp|noicmp|none }
</p>
</li>
<li>
<p>
string <strong>snort.-l</strong>: &lt;logdir&gt; log to this directory instead of current directory
</p>
</li>
<li>
<p>
int <strong>snort.-m</strong>: &lt;umask&gt; set umask = &lt;umask&gt; { 0: }
</p>
</li>
<li>
<p>
int <strong>snort.-n</strong>: &lt;count&gt; stop after count packets { 0: }
</p>
</li>
<li>
<p>
implied <strong>snort.-q</strong>: quiet mode - Don&#8217;t show banner and status report
</p>
</li>
<li>
<p>
string <strong>snort.-r</strong>: &lt;pcap&gt;&#8230; (same as --pcap-list)
</p>
</li>
<li>
<p>
int <strong>snort.-s</strong> = 1514: &lt;snap&gt; (same as --snaplen); default is 1514 { 68:65535 }
</p>
</li>
<li>
<p>
string <strong>snort.-t</strong>: &lt;dir&gt; chroots process to &lt;dir&gt; after initialization
</p>
</li>
<li>
<p>
string <strong>snort.-u</strong>: &lt;uname&gt; run snort as &lt;uname&gt; or &lt;uid&gt; after initialization
</p>
</li>
<li>
<p>
implied <strong>snort.-v</strong>: be verbose
</p>
</li>
<li>
<p>
implied <strong>snort.-w</strong>: dump 802.11 management and control frames
</p>
</li>
<li>
<p>
implied <strong>snort.-x</strong>: same as --pedantic
</p>
</li>
<li>
<p>
implied <strong>snort.-y</strong>: include year in timestamp in the alert and log files
</p>
</li>
<li>
<p>
int <strong>snort.-z</strong> = 1: &lt;count&gt; maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 { 0: }
</p>
</li>
<li>
<p>
string <strong>so.~func</strong>: name of eval function
</p>
</li>
<li>
<p>
string <strong>soid.~</strong>: SO rule ID has &lt;gid&gt;|&lt;sid&gt; format, like 3|12345
</p>
</li>
<li>
<p>
int <strong>ssh.max_client_bytes</strong> = 19600: number of unanswered bytes before alerting on challenge-response overflow or CRC32 { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>ssh.max_encrypted_packets</strong> = 25: ignore session after this many encrypted packets { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>ssh.max_server_version_len</strong> = 80: limit before alerting on secure CRT server version string overflow { 0:255 }
</p>
</li>
<li>
<p>
int <strong>ssl.max_heartbeat_length</strong> = 0: maximum length of heartbeat record allowed { 0:65535 }
</p>
</li>
<li>
<p>
bool <strong>ssl.trust_servers</strong> = false: disables requirement that application (encrypted) data must be observed on both sides
</p>
</li>
<li>
<p>
implied <strong>ssl_state.!client_hello</strong>: check for records that are not client hello
</p>
</li>
<li>
<p>
implied <strong>ssl_state.!client_keyx</strong>: check for records that are not client keyx
</p>
</li>
<li>
<p>
implied <strong>ssl_state.!server_hello</strong>: check for records that are not server hello
</p>
</li>
<li>
<p>
implied <strong>ssl_state.!server_keyx</strong>: check for records that are not server keyx
</p>
</li>
<li>
<p>
implied <strong>ssl_state.!unknown</strong>: check for records that are not unknown
</p>
</li>
<li>
<p>
implied <strong>ssl_state.client_hello</strong>: check for client hello
</p>
</li>
<li>
<p>
implied <strong>ssl_state.client_keyx</strong>: check for client keyx
</p>
</li>
<li>
<p>
implied <strong>ssl_state.server_hello</strong>: check for server hello
</p>
</li>
<li>
<p>
implied <strong>ssl_state.server_keyx</strong>: check for server keyx
</p>
</li>
<li>
<p>
implied <strong>ssl_state.unknown</strong>: check for unknown record
</p>
</li>
<li>
<p>
implied <strong>ssl_version.!sslv2</strong>: check for records that are not sslv2
</p>
</li>
<li>
<p>
implied <strong>ssl_version.!sslv3</strong>: check for records that are not sslv3
</p>
</li>
<li>
<p>
implied <strong>ssl_version.!tls1.0</strong>: check for records that are not tls1.0
</p>
</li>
<li>
<p>
implied <strong>ssl_version.!tls1.1</strong>: check for records that are not tls1.1
</p>
</li>
<li>
<p>
implied <strong>ssl_version.!tls1.2</strong>: check for records that are not tls1.2
</p>
</li>
<li>
<p>
implied <strong>ssl_version.sslv2</strong>: check for sslv2
</p>
</li>
<li>
<p>
implied <strong>ssl_version.sslv3</strong>: check for sslv3
</p>
</li>
<li>
<p>
implied <strong>ssl_version.tls1.0</strong>: check for tls1.0
</p>
</li>
<li>
<p>
implied <strong>ssl_version.tls1.1</strong>: check for tls1.1
</p>
</li>
<li>
<p>
implied <strong>ssl_version.tls1.2</strong>: check for tls1.2
</p>
</li>
<li>
<p>
int <strong>stream.file_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.file_cache.max_sessions</strong> =  128: maximum simultaneous sessions tracked before pruning { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.file_cache.memcap</strong> = 0: maximum cache memory before pruning (0 is unlimited) { 0: }
</p>
</li>
<li>
<p>
int <strong>stream.file_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.icmp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.icmp_cache.max_sessions</strong> = 32768: maximum simultaneous sessions tracked before pruning { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.icmp_cache.memcap</strong> = 1048576: maximum cache memory before pruning (0 is unlimited) { 0: }
</p>
</li>
<li>
<p>
int <strong>stream.icmp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.ip_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.ip_cache.max_sessions</strong> = 16384: maximum simultaneous sessions tracked before pruning { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.ip_cache.memcap</strong> = 23920640: maximum cache memory before pruning (0 is unlimited) { 0: }
</p>
</li>
<li>
<p>
int <strong>stream.ip_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.tcp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.tcp_cache.max_sessions</strong> = 131072: maximum simultaneous sessions tracked before pruning { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.tcp_cache.memcap</strong> = 268435456: maximum cache memory before pruning (0 is unlimited) { 0: }
</p>
</li>
<li>
<p>
int <strong>stream.tcp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.udp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.udp_cache.max_sessions</strong> = 65536: maximum simultaneous sessions tracked before pruning { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.udp_cache.memcap</strong> = 0: maximum cache memory before pruning (0 is unlimited) { 0: }
</p>
</li>
<li>
<p>
int <strong>stream.udp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.user_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.user_cache.max_sessions</strong> = 1024: maximum simultaneous sessions tracked before pruning { 1: }
</p>
</li>
<li>
<p>
int <strong>stream.user_cache.memcap</strong> = 1048576: maximum cache memory before pruning (0 is unlimited) { 0: }
</p>
</li>
<li>
<p>
int <strong>stream.user_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }
</p>
</li>
<li>
<p>
bool <strong>stream_file.upload</strong> = false: indicate file transfer direction
</p>
</li>
<li>
<p>
int <strong>stream_icmp.session_timeout</strong> = 30: session tracking timeout { 1:86400 }
</p>
</li>
<li>
<p>
int <strong>stream_ip.max_frags</strong> = 8192: maximum number of simultaneous fragments being tracked { 1: }
</p>
</li>
<li>
<p>
int <strong>stream_ip.max_overlaps</strong> = 0: maximum allowed overlaps per datagram; 0 is unlimited { 0: }
</p>
</li>
<li>
<p>
int <strong>stream_ip.min_frag_length</strong> = 0: alert if fragment length is below this limit before or after trimming { 0: }
</p>
</li>
<li>
<p>
int <strong>stream_ip.min_ttl</strong> = 1: discard fragments with ttl below the minimum { 1:255 }
</p>
</li>
<li>
<p>
enum <strong>stream_ip.policy</strong> = linux: fragment reassembly policy { first | linux | bsd | bsd_right | last | windows | solaris }
</p>
</li>
<li>
<p>
int <strong>stream_ip.session_timeout</strong> = 30: session tracking timeout { 1:86400 }
</p>
</li>
<li>
<p>
enum <strong>stream_reassemble.action</strong>: stop or start stream reassembly { disable|enable }
</p>
</li>
<li>
<p>
enum <strong>stream_reassemble.direction</strong>: action applies to the given direction(s) { client|server|both }
</p>
</li>
<li>
<p>
implied <strong>stream_reassemble.fastpath</strong>: optionally whitelist the remainder of the session
</p>
</li>
<li>
<p>
implied <strong>stream_reassemble.noalert</strong>: don&#8217;t alert when rule matches
</p>
</li>
<li>
<p>
enum <strong>stream_size.~direction</strong>: compare applies to the given direction(s) { either|to_server|to_client|both }
</p>
</li>
<li>
<p>
string <strong>stream_size.~range</strong>: size for comparison
</p>
</li>
<li>
<p>
int <strong>stream_tcp.flush_factor</strong> = 0: flush upon seeing a drop in segment size after given number of non-decreasing segments { 0: }
</p>
</li>
<li>
<p>
int <strong>stream_tcp.footprint</strong> = 0: use zero for production, non-zero for testing at given size { 0: }
</p>
</li>
<li>
<p>
bool <strong>stream_tcp.ignore_any_rules</strong> = false: process tcp content rules w/o ports only if rules with ports are present
</p>
</li>
<li>
<p>
int <strong>stream_tcp.max_pdu</strong> = 16384: maximum reassembled PDU size { 1460:65535 }
</p>
</li>
<li>
<p>
int <strong>stream_tcp.max_window</strong> = 0: maximum allowed tcp window { 0:1073725440 }
</p>
</li>
<li>
<p>
int <strong>stream_tcp.overlap_limit</strong> = 0: maximum number of allowed overlapping segments per session { 0:255 }
</p>
</li>
<li>
<p>
enum <strong>stream_tcp.policy</strong> = bsd: determines operating system characteristics like reassembly { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }
</p>
</li>
<li>
<p>
int <strong>stream_tcp.queue_limit.max_bytes</strong> = 1048576: don&#8217;t queue more than given bytes per session and direction { 0: }
</p>
</li>
<li>
<p>
int <strong>stream_tcp.queue_limit.max_segments</strong> = 2621: don&#8217;t queue more than given segments per session and direction { 0: }
</p>
</li>
<li>
<p>
bool <strong>stream_tcp.reassemble_async</strong> = true: queue data for reassembly before traffic is seen in both directions
</p>
</li>
<li>
<p>
int <strong>stream_tcp.require_3whs</strong> = -1: don&#8217;t track midstream sessions after given seconds from start up; -1 tracks all { -1:86400 }
</p>
</li>
<li>
<p>
int <strong>stream_tcp.session_timeout</strong> = 30: session tracking timeout { 1:86400 }
</p>
</li>
<li>
<p>
bool <strong>stream_tcp.show_rebuilt_packets</strong> = false: enable cmg like output of reassembled packets
</p>
</li>
<li>
<p>
int <strong>stream_tcp.small_segments.count</strong> = 0: limit number of small segments queued { 0:2048 }
</p>
</li>
<li>
<p>
int <strong>stream_tcp.small_segments.maximum_size</strong> = 0: limit number of small segments queued { 0:2048 }
</p>
</li>
<li>
<p>
bool <strong>stream_udp.ignore_any_rules</strong> = false: process udp content rules w/o ports only if rules with ports are present
</p>
</li>
<li>
<p>
int <strong>stream_udp.session_timeout</strong> = 30: session tracking timeout { 1:86400 }
</p>
</li>
<li>
<p>
int <strong>stream_user.session_timeout</strong> = 30: session tracking timeout { 1:86400 }
</p>
</li>
<li>
<p>
int <strong>suppress[].gid</strong> = 0: rule generator ID { 0: }
</p>
</li>
<li>
<p>
string <strong>suppress[].ip</strong>: restrict suppression to these addresses according to track
</p>
</li>
<li>
<p>
int <strong>suppress[].sid</strong> = 0: rule signature ID { 0: }
</p>
</li>
<li>
<p>
enum <strong>suppress[].track</strong>: suppress only matching source or destination addresses { by_src | by_dst }
</p>
</li>
<li>
<p>
int <strong>tag.bytes</strong>: tag for this many bytes { 1: }
</p>
</li>
<li>
<p>
int <strong>tag.packets</strong>: tag this many packets { 1: }
</p>
</li>
<li>
<p>
int <strong>tag.seconds</strong>: tag for this many seconds { 1: }
</p>
</li>
<li>
<p>
enum <strong>tag.~</strong>: log all packets in session or all packets to or from host { session|host_src|host_dst }
</p>
</li>
<li>
<p>
int <strong>telnet.ayt_attack_thresh</strong> = -1: alert on this number of consecutive telnet AYT commands { -1: }
</p>
</li>
<li>
<p>
bool <strong>telnet.check_encrypted</strong> = false: check for end of encryption
</p>
</li>
<li>
<p>
bool <strong>telnet.encrypted_traffic</strong> = false: check for encrypted telnet and ftp
</p>
</li>
<li>
<p>
bool <strong>telnet.normalize</strong> = false: eliminate escape sequences
</p>
</li>
<li>
<p>
string <strong>tos.~range</strong>: check if packet payload size is <em>size | min&lt;&gt;max | &lt;max | &gt;min</em>
</p>
</li>
<li>
<p>
string <strong>ttl.~range</strong>: check if packet payload size is <em>size | min&lt;&gt;max | &lt;max | &gt;min</em>
</p>
</li>
<li>
<p>
bool <strong>udp.deep_teredo_inspection</strong> = false: look for Teredo on all UDP ports (default is only 3544)
</p>
</li>
<li>
<p>
bool <strong>udp.enable_gtp</strong> = false: decode GTP encapsulations
</p>
</li>
<li>
<p>
bit_list <strong>udp.gtp_ports</strong> = 2152 3386: set GTP ports { 65535 }
</p>
</li>
<li>
<p>
int <strong>unified2.limit</strong> = 0: set limit (0 is unlimited) { 0: }
</p>
</li>
<li>
<p>
bool <strong>unified2.mpls_event_types</strong> = false: include mpls labels in events
</p>
</li>
<li>
<p>
bool <strong>unified2.nostamp</strong> = true: append file creation time to name (in Unix Epoch format)
</p>
</li>
<li>
<p>
enum <strong>unified2.units</strong> = B: limit multiplier { B | K | M | G }
</p>
</li>
<li>
<p>
bool <strong>unified2.vlan_event_types</strong> = false: include vlan IDs in events
</p>
</li>
<li>
<p>
string <strong>urg.~range</strong>: check if urgent offset is min&lt;&gt;max | &lt;max | &gt;min
</p>
</li>
<li>
<p>
string <strong>window.~range</strong>: check if packet payload size is <em>size | min&lt;&gt;max | &lt;max | &gt;min</em>
</p>
</li>
<li>
<p>
bool <strong>wizard.hexes[].client_first</strong> = true: which end initiates data transfer
</p>
</li>
<li>
<p>
select <strong>wizard.hexes[].proto</strong> = tcp: protocol to scan { tcp | udp }
</p>
</li>
<li>
<p>
string <strong>wizard.hexes[].service</strong>: name of service
</p>
</li>
<li>
<p>
string <strong>wizard.hexes[].to_client[].hex</strong>: sequence of data with wild chars (?)
</p>
</li>
<li>
<p>
string <strong>wizard.hexes[].to_server[].hex</strong>: sequence of data with wild chars (?)
</p>
</li>
<li>
<p>
bool <strong>wizard.spells[].client_first</strong> = true: which end initiates data transfer
</p>
</li>
<li>
<p>
select <strong>wizard.spells[].proto</strong> = tcp: protocol to scan { tcp | udp }
</p>
</li>
<li>
<p>
string <strong>wizard.spells[].service</strong>: name of service
</p>
</li>
<li>
<p>
string <strong>wizard.spells[].to_client[].spell</strong>: sequence of data with wild cards (*)
</p>
</li>
<li>
<p>
string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with wild cards (*)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_counts">Counts</h3>
<div class="ulist"><ul>
<li>
<p>
<strong>arp_spoof.packets</strong>: total packets
</p>
</li>
<li>
<p>
<strong>back_orifice.packets</strong>: total packets
</p>
</li>
<li>
<p>
<strong>binder.allows</strong>: allow bindings
</p>
</li>
<li>
<p>
<strong>binder.blocks</strong>: block bindings
</p>
</li>
<li>
<p>
<strong>binder.inspects</strong>: inspect bindings
</p>
</li>
<li>
<p>
<strong>binder.packets</strong>: initial bindings
</p>
</li>
<li>
<p>
<strong>binder.resets</strong>: reset bindings
</p>
</li>
<li>
<p>
<strong>daq.allow</strong>: total allow verdicts
</p>
</li>
<li>
<p>
<strong>daq.analyzed</strong>: total packets analyzed from DAQ
</p>
</li>
<li>
<p>
<strong>daq.blacklist</strong>: total blacklist verdicts
</p>
</li>
<li>
<p>
<strong>daq.block</strong>: total block verdicts
</p>
</li>
<li>
<p>
<strong>daq.dropped</strong>: packets dropped
</p>
</li>
<li>
<p>
<strong>daq.fail open</strong>: packets passed during initialization
</p>
</li>
<li>
<p>
<strong>daq.filtered</strong>: packets filtered out
</p>
</li>
<li>
<p>
<strong>daq.idle</strong>: attempts to acquire from DAQ without available packets
</p>
</li>
<li>
<p>
<strong>daq.ignore</strong>: total ignore verdicts
</p>
</li>
<li>
<p>
<strong>daq.injected</strong>: active responses or replacements
</p>
</li>
<li>
<p>
<strong>daq.internal blacklist</strong>: packets blacklisted internally due to lack of DAQ support
</p>
</li>
<li>
<p>
<strong>daq.internal whitelist</strong>: packets whitelisted internally due to lack of DAQ support
</p>
</li>
<li>
<p>
<strong>daq.outstanding</strong>: packets unprocessed
</p>
</li>
<li>
<p>
<strong>daq.pcaps</strong>: total files and interfaces processed
</p>
</li>
<li>
<p>
<strong>daq.received</strong>: total packets received from DAQ
</p>
</li>
<li>
<p>
<strong>daq.replace</strong>: total replace verdicts
</p>
</li>
<li>
<p>
<strong>daq.skipped</strong>: packets skipped at startup
</p>
</li>
<li>
<p>
<strong>daq.whitelist</strong>: total whitelist verdicts
</p>
</li>
<li>
<p>
<strong>data_log.packets</strong>: total packets
</p>
</li>
<li>
<p>
<strong>detection.alert limit</strong>: events previously triggered on same PDU
</p>
</li>
<li>
<p>
<strong>detection.alerts</strong>: alerts not including IP reputation
</p>
</li>
<li>
<p>
<strong>detection.alt searches</strong>: alt fast pattern searches in packet data
</p>
</li>
<li>
<p>
<strong>detection.analyzed</strong>: packets sent to detection
</p>
</li>
<li>
<p>
<strong>detection.body searches</strong>: fast pattern searches in body buffer
</p>
</li>
<li>
<p>
<strong>detection.cooked searches</strong>: fast pattern searches in cooked packet data
</p>
</li>
<li>
<p>
<strong>detection.event limit</strong>: events filtered
</p>
</li>
<li>
<p>
<strong>detection.file searches</strong>: fast pattern searches in file buffer
</p>
</li>
<li>
<p>
<strong>detection.header searches</strong>: fast pattern searches in header buffer
</p>
</li>
<li>
<p>
<strong>detection.key searches</strong>: fast pattern searches in key buffer
</p>
</li>
<li>
<p>
<strong>detection.log limit</strong>: events queued but not logged
</p>
</li>
<li>
<p>
<strong>detection.logged</strong>: logged packets
</p>
</li>
<li>
<p>
<strong>detection.match limit</strong>: fast pattern matches not processed
</p>
</li>
<li>
<p>
<strong>detection.passed</strong>: passed packets
</p>
</li>
<li>
<p>
<strong>detection.pkt searches</strong>: fast pattern searches in packet data
</p>
</li>
<li>
<p>
<strong>detection.queue limit</strong>: events not queued because queue full
</p>
</li>
<li>
<p>
<strong>detection.raw searches</strong>: fast pattern searches in raw packet data
</p>
</li>
<li>
<p>
<strong>detection.slow searches</strong>: non-fast pattern rule evaluations
</p>
</li>
<li>
<p>
<strong>detection.total alerts</strong>: alerts including IP reputation
</p>
</li>
<li>
<p>
<strong>dns.packets</strong>: total packets processed
</p>
</li>
<li>
<p>
<strong>dns.requests</strong>: total dns requests
</p>
</li>
<li>
<p>
<strong>dns.responses</strong>: total dns responses
</p>
</li>
<li>
<p>
<strong>dpx.packets</strong>: total packets
</p>
</li>
<li>
<p>
<strong>ftp_data.packets</strong>: total packets
</p>
</li>
<li>
<p>
<strong>ftp_server.packets</strong>: total packets
</p>
</li>
<li>
<p>
<strong>gtp_inspect.events</strong>: requests
</p>
</li>
<li>
<p>
<strong>gtp_inspect.sessions</strong>: total sessions processed
</p>
</li>
<li>
<p>
<strong>gtp_inspect.unknown infos</strong>: unknown information elements
</p>
</li>
<li>
<p>
<strong>gtp_inspect.unknown types</strong>: unknown message types
</p>
</li>
<li>
<p>
<strong>http_global.compressed bytes</strong>: total comparessed bytes processed
</p>
</li>
<li>
<p>
<strong>http_global.decompressed bytes</strong>: total bytes decompressed
</p>
</li>
<li>
<p>
<strong>http_global.double unicode</strong>: double unicode normalizations
</p>
</li>
<li>
<p>
<strong>http_global.gets</strong>: GET requests
</p>
</li>
<li>
<p>
<strong>http_global.gzip packets</strong>: packets with gzip compression
</p>
</li>
<li>
<p>
<strong>http_global.non-ascii</strong>: non-ascii normalizations
</p>
</li>
<li>
<p>
<strong>http_global.packets</strong>: total packets processed
</p>
</li>
<li>
<p>
<strong>http_global.paths with ../</strong>: directory traversal normalizations
</p>
</li>
<li>
<p>
<strong>http_global.paths with ./</strong>: relative directory normalizations
</p>
</li>
<li>
<p>
<strong>http_global.paths with //</strong>: double slash normalizations
</p>
</li>
<li>
<p>
<strong>http_global.post params</strong>: POST parameters extracted
</p>
</li>
<li>
<p>
<strong>http_global.posts</strong>: POST requests
</p>
</li>
<li>
<p>
<strong>http_global.request cookies</strong>: requests with Cookie
</p>
</li>
<li>
<p>
<strong>http_global.request headers</strong>: total requests
</p>
</li>
<li>
<p>
<strong>http_global.response cookies</strong>: responses with Set-Cookie
</p>
</li>
<li>
<p>
<strong>http_global.response headers</strong>: total responses
</p>
</li>
<li>
<p>
<strong>http_global.unicode</strong>: unicode normalizations
</p>
</li>
<li>
<p>
<strong>icmp4.bad checksum</strong>: non-zero icmp checksums
</p>
</li>
<li>
<p>
<strong>icmp6.bad checksum (ip4)</strong>: nonzero ipcm4 checksums
</p>
</li>
<li>
<p>
<strong>icmp6.bad checksum (ip6)</strong>: nonzero ipcm6 checksums
</p>
</li>
<li>
<p>
<strong>imap.packets</strong>: total packets
</p>
</li>
<li>
<p>
<strong>ipv4.bad checksum</strong>: nonzero ip checksums
</p>
</li>
<li>
<p>
<strong>modbus.frames</strong>: total Modbus messages
</p>
</li>
<li>
<p>
<strong>modbus.sessions</strong>: total sessions processed
</p>
</li>
<li>
<p>
<strong>normalizer.icmp4 echo</strong>: icmp4 ping normalizations
</p>
</li>
<li>
<p>
<strong>normalizer.icmp6 echo</strong>: icmp6 echo normalizations
</p>
</li>
<li>
<p>
<strong>normalizer.ip4 df</strong>: don&#8217;t frag bit normalizations
</p>
</li>
<li>
<p>
<strong>normalizer.ip4 opts</strong>: ip4 options cleared
</p>
</li>
<li>
<p>
<strong>normalizer.ip4 rf</strong>: reserved flag bit clears
</p>
</li>
<li>
<p>
<strong>normalizer.ip4 tos</strong>: type of service normalizations
</p>
</li>
<li>
<p>
<strong>normalizer.ip4 trim</strong>: eth packets trimmed to datagram size
</p>
</li>
<li>
<p>
<strong>normalizer.ip4 ttl</strong>: time-to-live normalizations
</p>
</li>
<li>
<p>
<strong>normalizer.ip6 hops</strong>: ip6 hop limit normalizations
</p>
</li>
<li>
<p>
<strong>normalizer.ip6 options</strong>: ip6 options cleared
</p>
</li>
<li>
<p>
<strong>normalizer.tcp block</strong>: blocked segments
</p>
</li>
<li>
<p>
<strong>normalizer.tcp ecn pkt</strong>: packets with ECN bits cleared
</p>
</li>
<li>
<p>
<strong>normalizer.tcp ecn session</strong>: ECN bits cleared
</p>
</li>
<li>
<p>
<strong>normalizer.tcp ips data</strong>: normalized segments
</p>
</li>
<li>
<p>
<strong>normalizer.tcp nonce</strong>: packets with nonce bit cleared
</p>
</li>
<li>
<p>
<strong>normalizer.tcp options</strong>: packets with options cleared
</p>
</li>
<li>
<p>
<strong>normalizer.tcp paddding</strong>: packets with padding cleared
</p>
</li>
<li>
<p>
<strong>normalizer.tcp req pay</strong>: cleared urgent pointer and urgent flag when there is no payload
</p>
</li>
<li>
<p>
<strong>normalizer.tcp req urg</strong>: cleared urgent pointer when urgent flag is not set
</p>
</li>
<li>
<p>
<strong>normalizer.tcp req urp</strong>: cleared the urgent flag if the urgent pointer is not set
</p>
</li>
<li>
<p>
<strong>normalizer.tcp reserved</strong>: packets with reserved bits cleared
</p>
</li>
<li>
<p>
<strong>normalizer.tcp syn options</strong>: SYN only options cleared from non-SYN packets
</p>
</li>
<li>
<p>
<strong>normalizer.tcp trim mss</strong>: data trimmed to MSS
</p>
</li>
<li>
<p>
<strong>normalizer.tcp trim rst</strong>: RST packets with data trimmed
</p>
</li>
<li>
<p>
<strong>normalizer.tcp trim syn</strong>: tcp segments trimmed on SYN
</p>
</li>
<li>
<p>
<strong>normalizer.tcp trim win</strong>: data trimed to window
</p>
</li>
<li>
<p>
<strong>normalizer.tcp ts ecr</strong>: timestamp cleared on non-ACKs
</p>
</li>
<li>
<p>
<strong>normalizer.tcp ts nop</strong>: timestamp options cleared
</p>
</li>
<li>
<p>
<strong>normalizer.tcp urgent ptr</strong>: packets without data with urgent pointer cleared
</p>
</li>
<li>
<p>
<strong>normalizer.test icmp4 echo</strong>: During inline mode, would have icmp4 ping normalizations
</p>
</li>
<li>
<p>
<strong>normalizer.test icmp6 echo</strong>: During inline mode, would have icmp6 echo normalizations
</p>
</li>
<li>
<p>
<strong>normalizer.test ip4 df</strong>: During inline mode, would have don&#8217;t frag bit normalizations
</p>
</li>
<li>
<p>
<strong>normalizer.test ip4 opts</strong>: During inline mode, would have ip4 options cleared
</p>
</li>
<li>
<p>
<strong>normalizer.test ip4 rf</strong>: During inline mode, would have reserved flag bit clears
</p>
</li>
<li>
<p>
<strong>normalizer.test ip4 tos</strong>: During inline mode, would have type of service normalizations
</p>
</li>
<li>
<p>
<strong>normalizer.test ip4 trim</strong>: During inline mode, would have eth packets trimmed to datagram size
</p>
</li>
<li>
<p>
<strong>normalizer.test ip4 ttl</strong>: During inline mode, would have time-to-live normalizations
</p>
</li>
<li>
<p>
<strong>normalizer.test ip6 hops</strong>: During inline mode, would have ip6 hop limit normalizations
</p>
</li>
<li>
<p>
<strong>normalizer.test ip6 options</strong>: During inline mode, would have ip6 options cleared
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp block</strong>: During inline mode, would have blocked segments
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp ecn pkt</strong>: During inline mode, would have packets with ECN bits cleared
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp ecn session</strong>: During inline mode, would have ECN bits cleared
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp ips data</strong>: During inline mode, would have normalized segments
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp nonce</strong>: During inline mode, would have packets with nonce bit cleared
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp options</strong>: During inline mode, would have packets with options cleared
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp paddding</strong>: During inline mode, would have packets with padding cleared
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp req pay</strong>: During inline mode, would have cleared urgent pointer and urgent flag when there is no payload
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp req urg</strong>: During inline mode, would have cleared urgent pointer when urgent flag is not set
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp req urp</strong>: During inline mode, would have cleared the urgent flag if the urgent pointer is not set
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp reserved</strong>: During inline mode, would have packets with reserved bits cleared
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp syn options</strong>: During inline mode, would have SYN only options cleared from non-SYN packets
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp trim mss</strong>: During inline mode, would have data trimmed to MSS
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp trim rst</strong>: During inline mode, would have RST packets with data trimmed
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp trim syn</strong>: During inline mode, would have tcp segments trimmed on SYN
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp trim win</strong>: During inline mode, would have data trimed to window
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp ts ecr</strong>: During inline mode, would have timestamp cleared on non-ACKs
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp ts nop</strong>: During inline mode, would have timestamp options cleared
</p>
</li>
<li>
<p>
<strong>normalizer.test tcp urgent ptr</strong>: During inline mode, would have packets without data with urgent pointer cleared
</p>
</li>
<li>
<p>
<strong>perf_monitor.packets</strong>: total packets
</p>
</li>
<li>
<p>
<strong>pop.packets</strong>: total packets
</p>
</li>
<li>
<p>
<strong>port_scan_global.packets</strong>: total packets
</p>
</li>
<li>
<p>
<strong>rpc_decode.packets</strong>: total packets
</p>
</li>
<li>
<p>
<strong>sip.dialogs</strong>: total dialogs
</p>
</li>
<li>
<p>
<strong>sip.events</strong>: events generated
</p>
</li>
<li>
<p>
<strong>sip.ignored channels</strong>: total channels ignored
</p>
</li>
<li>
<p>
<strong>sip.ignored sessions</strong>: total sessions ignored
</p>
</li>
<li>
<p>
<strong>sip.requests</strong>: total requests
</p>
</li>
<li>
<p>
<strong>sip.responses</strong>: total responses
</p>
</li>
<li>
<p>
<strong>sip.sessions</strong>: total sessions
</p>
</li>
<li>
<p>
<strong>smtp.packets</strong>: total packets
</p>
</li>
<li>
<p>
<strong>snort.attribute table hosts</strong>: total number of hosts in table
</p>
</li>
<li>
<p>
<strong>snort.attribute table reloads</strong>: number of times hosts table was reloaded
</p>
</li>
<li>
<p>
<strong>snort.conf reloads</strong>: number of times configuration was reloaded
</p>
</li>
<li>
<p>
<strong>snort.local commands</strong>: total local commands processed
</p>
</li>
<li>
<p>
<strong>snort.remote commands</strong>: total remote commands processed
</p>
</li>
<li>
<p>
<strong>snort.signals</strong>: total signals processed
</p>
</li>
<li>
<p>
<strong>ssh.packets</strong>: total packets
</p>
</li>
<li>
<p>
<strong>ssl.alert</strong>: total ssl alert records
</p>
</li>
<li>
<p>
<strong>ssl.bad handshakes</strong>: total bad handshakes
</p>
</li>
<li>
<p>
<strong>ssl.certificate</strong>: total ssl certificates
</p>
</li>
<li>
<p>
<strong>ssl.change cipher</strong>: total change cipher records
</p>
</li>
<li>
<p>
<strong>ssl.client application</strong>: total client application records
</p>
</li>
<li>
<p>
<strong>ssl.client hello</strong>: total client hellos
</p>
</li>
<li>
<p>
<strong>ssl.client key exchange</strong>: total client key exchanges
</p>
</li>
<li>
<p>
<strong>ssl.decoded</strong>: ssl packets decoded
</p>
</li>
<li>
<p>
<strong>ssl.detection disabled</strong>: total detection disabled
</p>
</li>
<li>
<p>
<strong>ssl.finished</strong>: total handshakes finished
</p>
</li>
<li>
<p>
<strong>ssl.handshakes completed</strong>: total completed ssl handshakes
</p>
</li>
<li>
<p>
<strong>ssl.packets</strong>: total packets processed
</p>
</li>
<li>
<p>
<strong>ssl.server application</strong>: total server application records
</p>
</li>
<li>
<p>
<strong>ssl.server done</strong>: total server done
</p>
</li>
<li>
<p>
<strong>ssl.server hello</strong>: total server hellos
</p>
</li>
<li>
<p>
<strong>ssl.server key exchange</strong>: total server key exchanges
</p>
</li>
<li>
<p>
<strong>ssl.sessions ignored</strong>: total sessions ignore
</p>
</li>
<li>
<p>
<strong>ssl.unrecognized records</strong>: total unrecognized records
</p>
</li>
<li>
<p>
<strong>stream.file flows</strong>: total file sessions
</p>
</li>
<li>
<p>
<strong>stream.file prunes</strong>: file sessions pruned
</p>
</li>
<li>
<p>
<strong>stream.icmp flows</strong>: total icmp sessions
</p>
</li>
<li>
<p>
<strong>stream.icmp prunes</strong>: icmp sessions pruned
</p>
</li>
<li>
<p>
<strong>stream.ip flows</strong>: total ip sessions
</p>
</li>
<li>
<p>
<strong>stream.ip prunes</strong>: ip sessions pruned
</p>
</li>
<li>
<p>
<strong>stream.tcp flows</strong>: total tcp sessions
</p>
</li>
<li>
<p>
<strong>stream.tcp prunes</strong>: tcp sessions pruned
</p>
</li>
<li>
<p>
<strong>stream.udp flows</strong>: total udp sessions
</p>
</li>
<li>
<p>
<strong>stream.udp prunes</strong>: udp sessions pruned
</p>
</li>
<li>
<p>
<strong>stream.user flows</strong>: total user sessions
</p>
</li>
<li>
<p>
<strong>stream.user prunes</strong>: user sessions pruned
</p>
</li>
<li>
<p>
<strong>stream_icmp.created</strong>: icmp session trackers created
</p>
</li>
<li>
<p>
<strong>stream_icmp.released</strong>: icmp session trackers released
</p>
</li>
<li>
<p>
<strong>stream_ip.alerts</strong>: alerts generated
</p>
</li>
<li>
<p>
<strong>stream_ip.anomalies</strong>: anomalies detected
</p>
</li>
<li>
<p>
<strong>stream_ip.discards</strong>: fragments discarded
</p>
</li>
<li>
<p>
<strong>stream_ip.drops</strong>: fragments dropped
</p>
</li>
<li>
<p>
<strong>stream_ip.frag timeouts</strong>: datagrams abandoned
</p>
</li>
<li>
<p>
<strong>stream_ip.fragments</strong>: total fragments
</p>
</li>
<li>
<p>
<strong>stream_ip.memory faults</strong>: memory faults
</p>
</li>
<li>
<p>
<strong>stream_ip.nodes deleted</strong>: fragments deleted from tracker
</p>
</li>
<li>
<p>
<strong>stream_ip.nodes inserted</strong>: fragments added to tracker
</p>
</li>
<li>
<p>
<strong>stream_ip.overlaps</strong>: overlapping fragments
</p>
</li>
<li>
<p>
<strong>stream_ip.reassembled</strong>: reassembled datagrams
</p>
</li>
<li>
<p>
<strong>stream_ip.trackers added</strong>: datagram trackers created
</p>
</li>
<li>
<p>
<strong>stream_ip.trackers freed</strong>: datagram trackers released
</p>
</li>
<li>
<p>
<strong>stream_tcp.3way trackers</strong>: tcp session tracking started on ack
</p>
</li>
<li>
<p>
<strong>stream_tcp.client cleanups</strong>: number of times data from server was flushed when session released
</p>
</li>
<li>
<p>
<strong>stream_tcp.data trackers</strong>: tcp session tracking started on data
</p>
</li>
<li>
<p>
<strong>stream_tcp.discards</strong>: tcp packets discarded
</p>
</li>
<li>
<p>
<strong>stream_tcp.events</strong>: events generated
</p>
</li>
<li>
<p>
<strong>stream_tcp.gaps</strong>: missing data between PDUs
</p>
</li>
<li>
<p>
<strong>stream_tcp.ignored</strong>: tcp packets ignored
</p>
</li>
<li>
<p>
<strong>stream_tcp.internal events</strong>: 135:X events generated
</p>
</li>
<li>
<p>
<strong>stream_tcp.max bytes</strong>: number of times the maximum queued byte limit was reached
</p>
</li>
<li>
<p>
<strong>stream_tcp.max segs</strong>: number of times the maximum queued segment limit was reached
</p>
</li>
<li>
<p>
<strong>stream_tcp.overlaps</strong>: overlapping segments queued
</p>
</li>
<li>
<p>
<strong>stream_tcp.rebuilt buffers</strong>: rebuilt PDU sections
</p>
</li>
<li>
<p>
<strong>stream_tcp.rebuilt packets</strong>: total reassembled PDUs
</p>
</li>
<li>
<p>
<strong>stream_tcp.resyns</strong>: SYN received on established session
</p>
</li>
<li>
<p>
<strong>stream_tcp.segs queued</strong>: total segments queued
</p>
</li>
<li>
<p>
<strong>stream_tcp.segs released</strong>: total segments released
</p>
</li>
<li>
<p>
<strong>stream_tcp.segs split</strong>: tcp segments split when reassembling PDUs
</p>
</li>
<li>
<p>
<strong>stream_tcp.segs used</strong>: queued tcp segments applied to reassembled PDUs
</p>
</li>
<li>
<p>
<strong>stream_tcp.server cleanups</strong>: number of times data from client was flushed when session released
</p>
</li>
<li>
<p>
<strong>stream_tcp.sessions</strong>: total sessions
</p>
</li>
<li>
<p>
<strong>stream_tcp.syn trackers</strong>: tcp session tracking started on syn
</p>
</li>
<li>
<p>
<strong>stream_tcp.syn-ack trackers</strong>: tcp session tracking started on syn-ack
</p>
</li>
<li>
<p>
<strong>stream_tcp.timeouts</strong>: sessions timed out
</p>
</li>
<li>
<p>
<strong>stream_tcp.trackers created</strong>: tcp session trackers created
</p>
</li>
<li>
<p>
<strong>stream_tcp.trackers released</strong>: tcp session trackers released
</p>
</li>
<li>
<p>
<strong>stream_tcp.untracked</strong>: tcp packets not tracked
</p>
</li>
<li>
<p>
<strong>stream_udp.created</strong>: udp session trackers created
</p>
</li>
<li>
<p>
<strong>stream_udp.released</strong>: udp session trackers released
</p>
</li>
<li>
<p>
<strong>stream_udp.sessions</strong>: total udp sessions
</p>
</li>
<li>
<p>
<strong>stream_udp.timeouts</strong>: udp session timeouts
</p>
</li>
<li>
<p>
<strong>tcp.bad checksum (ip4)</strong>: nonzero tcp over ip checksums
</p>
</li>
<li>
<p>
<strong>tcp.bad checksum (ip6)</strong>: nonzero tcp over ipv6 checksums
</p>
</li>
<li>
<p>
<strong>telnet.packets</strong>: total packets
</p>
</li>
<li>
<p>
<strong>udp.bad checksum (ip4)</strong>: nonzero udp over ipv4 checksums
</p>
</li>
<li>
<p>
<strong>udp.bad checksum (ip6)</strong>: nonzero udp over ipv6 checksums
</p>
</li>
<li>
<p>
<strong>wizard.tcp hits</strong>: tcp identifications
</p>
</li>
<li>
<p>
<strong>wizard.tcp scans</strong>: tcp payload scans
</p>
</li>
<li>
<p>
<strong>wizard.udp hits</strong>: udp identifications
</p>
</li>
<li>
<p>
<strong>wizard.udp scans</strong>: udp payload scans
</p>
</li>
<li>
<p>
<strong>wizard.user hits</strong>: user identifications
</p>
</li>
<li>
<p>
<strong>wizard.user scans</strong>: user payload scans
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_generators">Generators</h3>
<div class="ulist"><ul>
<li>
<p>
<strong>105</strong>: back_orifice
</p>
</li>
<li>
<p>
<strong>106</strong>: rpc_decode
</p>
</li>
<li>
<p>
<strong>112</strong>: arp_spoof
</p>
</li>
<li>
<p>
<strong>116</strong>: arp
</p>
</li>
<li>
<p>
<strong>116</strong>: auth
</p>
</li>
<li>
<p>
<strong>116</strong>: decode
</p>
</li>
<li>
<p>
<strong>116</strong>: eapol
</p>
</li>
<li>
<p>
<strong>116</strong>: erspan2
</p>
</li>
<li>
<p>
<strong>116</strong>: erspan3
</p>
</li>
<li>
<p>
<strong>116</strong>: esp
</p>
</li>
<li>
<p>
<strong>116</strong>: eth
</p>
</li>
<li>
<p>
<strong>116</strong>: fabricpath
</p>
</li>
<li>
<p>
<strong>116</strong>: gre
</p>
</li>
<li>
<p>
<strong>116</strong>: gtp
</p>
</li>
<li>
<p>
<strong>116</strong>: icmp4
</p>
</li>
<li>
<p>
<strong>116</strong>: icmp6
</p>
</li>
<li>
<p>
<strong>116</strong>: igmp
</p>
</li>
<li>
<p>
<strong>116</strong>: ipv4
</p>
</li>
<li>
<p>
<strong>116</strong>: ipv6
</p>
</li>
<li>
<p>
<strong>116</strong>: mpls
</p>
</li>
<li>
<p>
<strong>116</strong>: pgm
</p>
</li>
<li>
<p>
<strong>116</strong>: pppoe
</p>
</li>
<li>
<p>
<strong>116</strong>: tcp
</p>
</li>
<li>
<p>
<strong>116</strong>: token_ring
</p>
</li>
<li>
<p>
<strong>116</strong>: udp
</p>
</li>
<li>
<p>
<strong>116</strong>: vlan
</p>
</li>
<li>
<p>
<strong>116</strong>: wlan
</p>
</li>
<li>
<p>
<strong>119</strong>: http_global
</p>
</li>
<li>
<p>
<strong>120</strong>: http_inspect
</p>
</li>
<li>
<p>
<strong>122</strong>: port_scan
</p>
</li>
<li>
<p>
<strong>123</strong>: stream_ip
</p>
</li>
<li>
<p>
<strong>124</strong>: smtp
</p>
</li>
<li>
<p>
<strong>125</strong>: ftp_server
</p>
</li>
<li>
<p>
<strong>126</strong>: telnet
</p>
</li>
<li>
<p>
<strong>128</strong>: ssh
</p>
</li>
<li>
<p>
<strong>129</strong>: stream_tcp
</p>
</li>
<li>
<p>
<strong>131</strong>: dns
</p>
</li>
<li>
<p>
<strong>137</strong>: ssl
</p>
</li>
<li>
<p>
<strong>140</strong>: sip
</p>
</li>
<li>
<p>
<strong>141</strong>: imap
</p>
</li>
<li>
<p>
<strong>142</strong>: pop
</p>
</li>
<li>
<p>
<strong>143</strong>: gtp_inspect
</p>
</li>
<li>
<p>
<strong>144</strong>: modbus
</p>
</li>
<li>
<p>
<strong>219</strong>: new_http_inspect
</p>
</li>
<li>
<p>
<strong>256</strong>: dpx
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_builtin_rules">Builtin Rules</h3>
<div class="ulist"><ul>
<li>
<p>
<strong>105:1</strong> (back_orifice) BO traffic detected
</p>
</li>
<li>
<p>
<strong>105:2</strong> (back_orifice) BO client traffic detected
</p>
</li>
<li>
<p>
<strong>105:3</strong> (back_orifice) BO server traffic detected
</p>
</li>
<li>
<p>
<strong>105:4</strong> (back_orifice) BO Snort buffer attack
</p>
</li>
<li>
<p>
<strong>106:1</strong> (rpc_decode) fragmented RPC records
</p>
</li>
<li>
<p>
<strong>106:2</strong> (rpc_decode) multiple RPC records
</p>
</li>
<li>
<p>
<strong>106:3</strong> (rpc_decode) large RPC record fragment
</p>
</li>
<li>
<p>
<strong>106:4</strong> (rpc_decode) incomplete RPC segment
</p>
</li>
<li>
<p>
<strong>106:5</strong> (rpc_decode) zero-length RPC fragment
</p>
</li>
<li>
<p>
<strong>112:1</strong> (arp_spoof) unicast ARP request
</p>
</li>
<li>
<p>
<strong>112:2</strong> (arp_spoof) ethernet/ARP mismatch request for source
</p>
</li>
<li>
<p>
<strong>112:3</strong> (arp_spoof) ethernet/ARP mismatch request for destination
</p>
</li>
<li>
<p>
<strong>112:4</strong> (arp_spoof) attempted ARP cache overwrite attack
</p>
</li>
<li>
<p>
<strong>116:1</strong> (ipv4) Not IPv4 datagram
</p>
</li>
<li>
<p>
<strong>116:2</strong> (ipv4) hlen &lt; minimum
</p>
</li>
<li>
<p>
<strong>116:3</strong> (ipv4) IP dgm len &lt; IP Hdr len
</p>
</li>
<li>
<p>
<strong>116:4</strong> (ipv4) Ipv4 Options found with bad lengths
</p>
</li>
<li>
<p>
<strong>116:5</strong> (ipv4) Truncated Ipv4 Options
</p>
</li>
<li>
<p>
<strong>116:6</strong> (ipv4) IP dgm len &gt; captured len
</p>
</li>
<li>
<p>
<strong>116:45</strong> (tcp) TCP packet len is smaller than 20 bytes
</p>
</li>
<li>
<p>
<strong>116:46</strong> (tcp) TCP data offset is less than 5
</p>
</li>
<li>
<p>
<strong>116:47</strong> (tcp) TCP header length exceeds packet length
</p>
</li>
<li>
<p>
<strong>116:54</strong> (tcp) TCP options found with bad lengths
</p>
</li>
<li>
<p>
<strong>116:55</strong> (tcp) truncated TCP options
</p>
</li>
<li>
<p>
<strong>116:56</strong> (tcp) T/TCP detected
</p>
</li>
<li>
<p>
<strong>116:57</strong> (tcp) obsolete TCP options found
</p>
</li>
<li>
<p>
<strong>116:58</strong> (tcp) experimental TCP options found
</p>
</li>
<li>
<p>
<strong>116:59</strong> (tcp) TCP window scale option found with length &gt; 14
</p>
</li>
<li>
<p>
<strong>116:95</strong> (udp) truncated UDP header
</p>
</li>
<li>
<p>
<strong>116:96</strong> (udp) invalid UDP header, length field &lt; 8
</p>
</li>
<li>
<p>
<strong>116:97</strong> (udp) short UDP packet, length field &gt; payload length
</p>
</li>
<li>
<p>
<strong>116:98</strong> (udp) long UDP packet, length field &lt; payload length
</p>
</li>
<li>
<p>
<strong>116:105</strong> (icmp4) ICMP header truncated
</p>
</li>
<li>
<p>
<strong>116:106</strong> (icmp4) ICMP timestamp header truncated
</p>
</li>
<li>
<p>
<strong>116:107</strong> (icmp4) ICMP address header truncated
</p>
</li>
<li>
<p>
<strong>116:109</strong> (arp) truncated ARP
</p>
</li>
<li>
<p>
<strong>116:110</strong> (eapol) truncated EAP header
</p>
</li>
<li>
<p>
<strong>116:111</strong> (eapol) EAP key truncated
</p>
</li>
<li>
<p>
<strong>116:112</strong> (eapol) EAP header truncated
</p>
</li>
<li>
<p>
<strong>116:120</strong> (pppoe) bad PPPOE frame detected
</p>
</li>
<li>
<p>
<strong>116:130</strong> (vlan) bad VLAN frame
</p>
</li>
<li>
<p>
<strong>116:131</strong> (vlan) bad LLC header
</p>
</li>
<li>
<p>
<strong>116:132</strong> (vlan) bad extra LLC info
</p>
</li>
<li>
<p>
<strong>116:133</strong> (wlan) bad 802.11 LLC header
</p>
</li>
<li>
<p>
<strong>116:134</strong> (wlan) bad 802.11 extra LLC info
</p>
</li>
<li>
<p>
<strong>116:140</strong> (token_ring) (token_ring) Bad Token Ring Header
</p>
</li>
<li>
<p>
<strong>116:141</strong> (token_ring) (token_ring) Bad Token Ring ETHLLC Header
</p>
</li>
<li>
<p>
<strong>116:142</strong> (token_ring) (token_ring) Bad Token Ring MRLENHeader
</p>
</li>
<li>
<p>
<strong>116:143</strong> (token_ring) (token_ring) Bad Token Ring MR Header
</p>
</li>
<li>
<p>
<strong>116:150</strong> (decode) bad traffic loopback IP
</p>
</li>
<li>
<p>
<strong>116:151</strong> (decode) bad traffic same src/dst IP
</p>
</li>
<li>
<p>
<strong>116:160</strong> (gre) GRE header length &gt; payload length
</p>
</li>
<li>
<p>
<strong>116:161</strong> (gre) multiple encapsulations in packet
</p>
</li>
<li>
<p>
<strong>116:162</strong> (gre) invalid GRE version
</p>
</li>
<li>
<p>
<strong>116:163</strong> (gre) invalid GRE header
</p>
</li>
<li>
<p>
<strong>116:164</strong> (gre) invalid GRE v.1 PPTP header
</p>
</li>
<li>
<p>
<strong>116:165</strong> (gre) GRE trans header length &gt; payload length
</p>
</li>
<li>
<p>
<strong>116:170</strong> (mpls) bad MPLS frame
</p>
</li>
<li>
<p>
<strong>116:171</strong> (mpls) MPLS label 0 appears in non-bottom header
</p>
</li>
<li>
<p>
<strong>116:172</strong> (mpls) MPLS label 1 appears in bottom header
</p>
</li>
<li>
<p>
<strong>116:173</strong> (mpls) MPLS label 2 appears in non-bottom header
</p>
</li>
<li>
<p>
<strong>116:174</strong> (mpls) MPLS label 3 appears in header
</p>
</li>
<li>
<p>
<strong>116:175</strong> (mpls) MPLS label 4, 5,.. or 15 appears in header
</p>
</li>
<li>
<p>
<strong>116:176</strong> (mpls) too many MPLS headers
</p>
</li>
<li>
<p>
<strong>116:250</strong> (icmp4) ICMP original IP header truncated
</p>
</li>
<li>
<p>
<strong>116:251</strong> (icmp4) ICMP version and original IP header versions differ
</p>
</li>
<li>
<p>
<strong>116:252</strong> (icmp4) ICMP original datagram length &lt; original IP header length
</p>
</li>
<li>
<p>
<strong>116:253</strong> (icmp4) ICMP original IP payload &lt; 64 bits
</p>
</li>
<li>
<p>
<strong>116:254</strong> (icmp4) ICMP original IP payload &gt; 576 bytes
</p>
</li>
<li>
<p>
<strong>116:255</strong> (icmp4) ICMP original IP fragmented and offset not 0
</p>
</li>
<li>
<p>
<strong>116:270</strong> (ipv6) IPv6 packet below TTL limit
</p>
</li>
<li>
<p>
<strong>116:271</strong> (ipv6) IPv6 header claims to not be IPv6
</p>
</li>
<li>
<p>
<strong>116:272</strong> (ipv6) IPV6 truncated extension header
</p>
</li>
<li>
<p>
<strong>116:273</strong> (ipv6) IPV6 truncated header
</p>
</li>
<li>
<p>
<strong>116:274</strong> (ipv6) IP dgm len &lt; IP Hdr len
</p>
</li>
<li>
<p>
<strong>116:275</strong> (ipv6) IP dgm len &gt; captured len
</p>
</li>
<li>
<p>
<strong>116:276</strong> (ipv6) IPv6 packet with destination address ::0
</p>
</li>
<li>
<p>
<strong>116:277</strong> (ipv6) IPv6 packet with multicast source address
</p>
</li>
<li>
<p>
<strong>116:278</strong> (ipv6) IPv6 packet with reserved multicast destination address
</p>
</li>
<li>
<p>
<strong>116:279</strong> (ipv6) IPv6 header includes an undefined option type
</p>
</li>
<li>
<p>
<strong>116:280</strong> (ipv6) IPv6 address includes an unassigned multicast scope value
</p>
</li>
<li>
<p>
<strong>116:281</strong> (ipv6) IPv6 header includes an invalid value for the <em>next header</em> field
</p>
</li>
<li>
<p>
<strong>116:282</strong> (ipv6) IPv6 header includes a routing extension header followed by a hop-by-hop header
</p>
</li>
<li>
<p>
<strong>116:283</strong> (ipv6) IPv6 header includes two routing extension headers
</p>
</li>
<li>
<p>
<strong>116:285</strong> (icmp6) ICMPv6 packet of type 2 (message too big) with MTU field &lt; 1280
</p>
</li>
<li>
<p>
<strong>116:286</strong> (icmp6) ICMPv6 packet of type 1 (destination unreachable) with non-RFC 2463 code
</p>
</li>
<li>
<p>
<strong>116:287</strong> (icmp6) ICMPv6 router solicitation packet with a code not equal to 0
</p>
</li>
<li>
<p>
<strong>116:288</strong> (icmp6) ICMPv6 router advertisement packet with a code not equal to 0
</p>
</li>
<li>
<p>
<strong>116:289</strong> (icmp6) ICMPv6 router solicitation packet with the reserved field not equal to 0
</p>
</li>
<li>
<p>
<strong>116:290</strong> (icmp6) ICMPv6 router advertisement packet with the reachable time field set &gt; 1 hour
</p>
</li>
<li>
<p>
<strong>116:291</strong> (ipv6) IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux kernel attack
</p>
</li>
<li>
<p>
<strong>116:292</strong> (ipv6) IPv6 header has destination options followed by a routing header
</p>
</li>
<li>
<p>
<strong>116:293</strong> (decode) two or more IP (v4 and/or v6) encapsulation layers present
</p>
</li>
<li>
<p>
<strong>116:294</strong> (esp) truncated encapsulated security payload header
</p>
</li>
<li>
<p>
<strong>116:295</strong> (ipv6) IPv6 header includes an option which is too big for the containing header
</p>
</li>
<li>
<p>
<strong>116:296</strong> (ipv6) IPv6 packet includes out-of-order extension headers
</p>
</li>
<li>
<p>
<strong>116:297</strong> (gtp) two or more GTP encapsulation layers present
</p>
</li>
<li>
<p>
<strong>116:298</strong> (gtp) GTP header length is invalid
</p>
</li>
<li>
<p>
<strong>116:400</strong> (tcp) XMAS attack detected
</p>
</li>
<li>
<p>
<strong>116:401</strong> (tcp) Nmap XMAS attack detected
</p>
</li>
<li>
<p>
<strong>116:402</strong> (tcp) DOS NAPTHA vulnerability detected
</p>
</li>
<li>
<p>
<strong>116:403</strong> (tcp) bad traffic SYN to multicast address
</p>
</li>
<li>
<p>
<strong>116:404</strong> (ipv4) IPV4 packet with zero TTL
</p>
</li>
<li>
<p>
<strong>116:405</strong> (ipv4) IPV4 packet with bad frag bits (both MF and DF set)
</p>
</li>
<li>
<p>
<strong>116:406</strong> (udp) invalid IPv6 UDP packet, checksum zero
</p>
</li>
<li>
<p>
<strong>116:407</strong> (ipv4) IPV4 packet frag offset + length exceed maximum
</p>
</li>
<li>
<p>
<strong>116:408</strong> (ipv4) IPV4 packet from <em>current net</em> source address
</p>
</li>
<li>
<p>
<strong>116:409</strong> (ipv4) IPV4 packet to <em>current net</em> dest address
</p>
</li>
<li>
<p>
<strong>116:410</strong> (ipv4) IPV4 packet from multicast source address
</p>
</li>
<li>
<p>
<strong>116:411</strong> (ipv4) IPV4 packet from reserved source address
</p>
</li>
<li>
<p>
<strong>116:412</strong> (ipv4) IPV4 packet to reserved dest address
</p>
</li>
<li>
<p>
<strong>116:413</strong> (ipv4) IPV4 packet from broadcast source address
</p>
</li>
<li>
<p>
<strong>116:414</strong> (ipv4) IPV4 packet to broadcast dest address
</p>
</li>
<li>
<p>
<strong>116:415</strong> (icmp4) ICMP4 packet to multicast dest address
</p>
</li>
<li>
<p>
<strong>116:416</strong> (icmp4) ICMP4 packet to broadcast dest address
</p>
</li>
<li>
<p>
<strong>116:418</strong> (icmp4) ICMP4 type other
</p>
</li>
<li>
<p>
<strong>116:419</strong> (tcp) TCP urgent pointer exceeds payload length or no payload
</p>
</li>
<li>
<p>
<strong>116:420</strong> (tcp) TCP SYN with FIN
</p>
</li>
<li>
<p>
<strong>116:421</strong> (tcp) TCP SYN with RST
</p>
</li>
<li>
<p>
<strong>116:422</strong> (tcp) TCP PDU missing ack for established session
</p>
</li>
<li>
<p>
<strong>116:423</strong> (tcp) TCP has no SYN, ACK, or RST
</p>
</li>
<li>
<p>
<strong>116:424</strong> (eth) truncated eth header
</p>
</li>
<li>
<p>
<strong>116:425</strong> (ipv4) truncated IP4 header
</p>
</li>
<li>
<p>
<strong>116:426</strong> (icmp4) truncated ICMP4 header
</p>
</li>
<li>
<p>
<strong>116:427</strong> (icmp6) truncated ICMP6 header
</p>
</li>
<li>
<p>
<strong>116:428</strong> (ipv4) IPV4 packet below TTL limit
</p>
</li>
<li>
<p>
<strong>116:429</strong> (ipv6) IPV6 packet has zero hop limit
</p>
</li>
<li>
<p>
<strong>116:430</strong> (ipv4) IPV4 packet both DF and offset set
</p>
</li>
<li>
<p>
<strong>116:431</strong> (icmp6) ICMP6 type not decoded
</p>
</li>
<li>
<p>
<strong>116:432</strong> (icmp6) ICMP6 packet to multicast address
</p>
</li>
<li>
<p>
<strong>116:433</strong> (tcp) DDOS shaft SYN flood
</p>
</li>
<li>
<p>
<strong>116:434</strong> (icmp4) ICMP ping NMAP
</p>
</li>
<li>
<p>
<strong>116:435</strong> (icmp4) ICMP icmpenum v1.1.1
</p>
</li>
<li>
<p>
<strong>116:436</strong> (icmp4) ICMP redirect host
</p>
</li>
<li>
<p>
<strong>116:437</strong> (icmp4) ICMP redirect net
</p>
</li>
<li>
<p>
<strong>116:438</strong> (icmp4) ICMP traceroute ipopts
</p>
</li>
<li>
<p>
<strong>116:439</strong> (icmp4) ICMP source quench
</p>
</li>
<li>
<p>
<strong>116:440</strong> (icmp4) broadscan smurf scanner
</p>
</li>
<li>
<p>
<strong>116:441</strong> (icmp4) ICMP destination unreachable communication administratively prohibited
</p>
</li>
<li>
<p>
<strong>116:442</strong> (icmp4) ICMP destination unreachable communication with destination host is administratively prohibited
</p>
</li>
<li>
<p>
<strong>116:443</strong> (icmp4) ICMP destination unreachable communication with destination network is administratively prohibited
</p>
</li>
<li>
<p>
<strong>116:444</strong> (ipv4) MISC IP option set
</p>
</li>
<li>
<p>
<strong>116:445</strong> (udp) misc large UDP Packet
</p>
</li>
<li>
<p>
<strong>116:446</strong> (tcp) BAD-TRAFFIC TCP port 0 traffic
</p>
</li>
<li>
<p>
<strong>116:447</strong> (udp) BAD-TRAFFIC UDP port 0 traffic
</p>
</li>
<li>
<p>
<strong>116:448</strong> (ipv4) BAD-TRAFFIC IP reserved bit set
</p>
</li>
<li>
<p>
<strong>116:449</strong> (decode) BAD-TRAFFIC unassigned/reserved IP protocol
</p>
</li>
<li>
<p>
<strong>116:450</strong> (decode) BAD-TRAFFIC bad IP protocol
</p>
</li>
<li>
<p>
<strong>116:451</strong> (icmp4) ICMP path MTU denial of service attempt
</p>
</li>
<li>
<p>
<strong>116:452</strong> (icmp4) BAD-TRAFFIC Linux ICMP header DOS attempt
</p>
</li>
<li>
<p>
<strong>116:453</strong> (ipv6) BAD-TRAFFIC ISATAP-addressed IPv6 traffic spoofing attempt
</p>
</li>
<li>
<p>
<strong>116:454</strong> (pgm) BAD-TRAFFIC PGM nak list overflow attempt
</p>
</li>
<li>
<p>
<strong>116:455</strong> (igmp) DOS IGMP IP options validation attempt
</p>
</li>
<li>
<p>
<strong>116:456</strong> (ipv6) too many IP6 extension headers
</p>
</li>
<li>
<p>
<strong>116:457</strong> (icmp6) ICMPv6 packet of type 1 (destination unreachable) with non-RFC 4443 code
</p>
</li>
<li>
<p>
<strong>116:458</strong> (ipv6) bogus fragmentation packet, possible BSD attack
</p>
</li>
<li>
<p>
<strong>116:459</strong> (decode) fragment with zero length
</p>
</li>
<li>
<p>
<strong>116:460</strong> (icmp6) ICMPv6 node info query/response packet with a code greater than 2
</p>
</li>
<li>
<p>
<strong>116:461</strong> (ipv6) IPV6 routing type 0 extension header
</p>
</li>
<li>
<p>
<strong>116:462</strong> (erspan2) ERSpan header version mismatch
</p>
</li>
<li>
<p>
<strong>116:463</strong> (erspan2) captured &lt; ERSpan type2 header length
</p>
</li>
<li>
<p>
<strong>116:464</strong> (erspan3) captured &lt; ERSpan type3 header length
</p>
</li>
<li>
<p>
<strong>116:465</strong> (auth) truncated authentication header
</p>
</li>
<li>
<p>
<strong>116:466</strong> (auth) bad authentication header length
</p>
</li>
<li>
<p>
<strong>116:467</strong> (fabricpath) truncated FabricPath header
</p>
</li>
<li>
<p>
<strong>116:468</strong> (decode) too many protocols present
</p>
</li>
<li>
<p>
<strong>119:1</strong> (http_global) ascii encoding
</p>
</li>
<li>
<p>
<strong>119:2</strong> (http_global) double decoding attack
</p>
</li>
<li>
<p>
<strong>119:3</strong> (http_global) u encoding
</p>
</li>
<li>
<p>
<strong>119:4</strong> (http_global) bare byte unicode encoding
</p>
</li>
<li>
<p>
<strong>119:5</strong> (http_global) base36 encoding
</p>
</li>
<li>
<p>
<strong>119:6</strong> (http_global) UTF-8 encoding
</p>
</li>
<li>
<p>
<strong>119:7</strong> (http_global) IIS unicode codepoint encoding
</p>
</li>
<li>
<p>
<strong>119:8</strong> (http_global) multi_slash encoding
</p>
</li>
<li>
<p>
<strong>119:9</strong> (http_global) IIS backslash evasion
</p>
</li>
<li>
<p>
<strong>119:10</strong> (http_global) self directory traversal
</p>
</li>
<li>
<p>
<strong>119:11</strong> (http_global) directory traversal
</p>
</li>
<li>
<p>
<strong>119:12</strong> (http_global) apache whitespace (tab)
</p>
</li>
<li>
<p>
<strong>119:13</strong> (http_global) non-RFC http delimiter
</p>
</li>
<li>
<p>
<strong>119:14</strong> (http_global) non-RFC defined char
</p>
</li>
<li>
<p>
<strong>119:15</strong> (http_global) oversize request-URI directory
</p>
</li>
<li>
<p>
<strong>119:16</strong> (http_global) oversize chunk encoding
</p>
</li>
<li>
<p>
<strong>119:17</strong> (http_global) unauthorized proxy use detected
</p>
</li>
<li>
<p>
<strong>119:18</strong> (http_global) webroot directory traversal
</p>
</li>
<li>
<p>
<strong>119:19</strong> (http_global) long header
</p>
</li>
<li>
<p>
<strong>119:20</strong> (http_global) max header fields
</p>
</li>
<li>
<p>
<strong>119:21</strong> (http_global) multiple content length
</p>
</li>
<li>
<p>
<strong>119:22</strong> (http_global) chunk size mismatch detected
</p>
</li>
<li>
<p>
<strong>119:23</strong> (http_global) invalid ip in true-client-IP/XFF header
</p>
</li>
<li>
<p>
<strong>119:24</strong> (http_global) multiple host hdrs detected
</p>
</li>
<li>
<p>
<strong>119:25</strong> (http_global) hostname exceeds 255 characters
</p>
</li>
<li>
<p>
<strong>119:26</strong> (http_global) header parsing space saturation
</p>
</li>
<li>
<p>
<strong>119:27</strong> (http_global) client consecutive small chunk sizes
</p>
</li>
<li>
<p>
<strong>119:28</strong> (http_global) post w/o content-length or chunks
</p>
</li>
<li>
<p>
<strong>119:29</strong> (http_global) multiple true IPs in a session
</p>
</li>
<li>
<p>
<strong>119:30</strong> (http_global) both true-client-IP and XFF hdrs present
</p>
</li>
<li>
<p>
<strong>119:31</strong> (http_global) unknown method
</p>
</li>
<li>
<p>
<strong>119:32</strong> (http_global) simple request
</p>
</li>
<li>
<p>
<strong>119:33</strong> (http_global) unescaped space in http URI
</p>
</li>
<li>
<p>
<strong>119:34</strong> (http_global) too many pipelined requests
</p>
</li>
<li>
<p>
<strong>120:1</strong> (http_inspect) anomalous http server on undefined HTTP port
</p>
</li>
<li>
<p>
<strong>120:2</strong> (http_inspect) invalid status code in HTTP response
</p>
</li>
<li>
<p>
<strong>120:3</strong> (http_inspect) no content-length or transfer-encoding in HTTP response
</p>
</li>
<li>
<p>
<strong>120:4</strong> (http_inspect) HTTP response has UTF charset which failed to normalize
</p>
</li>
<li>
<p>
<strong>120:5</strong> (http_inspect) HTTP response has UTF-7 charset
</p>
</li>
<li>
<p>
<strong>120:6</strong> (http_inspect) HTTP response gzip decompression failed
</p>
</li>
<li>
<p>
<strong>120:7</strong> (http_inspect) server consecutive small chunk sizes
</p>
</li>
<li>
<p>
<strong>120:8</strong> (http_inspect) invalid content-length or chunk size
</p>
</li>
<li>
<p>
<strong>120:9</strong> (http_inspect) javascript obfuscation levels exceeds 1
</p>
</li>
<li>
<p>
<strong>120:10</strong> (http_inspect) javascript whitespaces exceeds max allowed
</p>
</li>
<li>
<p>
<strong>120:11</strong> (http_inspect) multiple encodings within javascript obfuscated data
</p>
</li>
<li>
<p>
<strong>120:12</strong> (http_inspect) HTTP response SWF file zlib decompression failure
</p>
</li>
<li>
<p>
<strong>120:13</strong> (http_inspect) HTTP response SWF file LZMA decompression failure
</p>
</li>
<li>
<p>
<strong>120:14</strong> (http_inspect) HTTP response PDF file deflate decompression failure
</p>
</li>
<li>
<p>
<strong>120:15</strong> (http_inspect) HTTP response PDF file unsupported compression type
</p>
</li>
<li>
<p>
<strong>120:16</strong> (http_inspect) HTTP response PDF file cascaded compression
</p>
</li>
<li>
<p>
<strong>120:17</strong> (http_inspect) HTTP response PDF file parse failure
</p>
</li>
<li>
<p>
<strong>122:1</strong> (port_scan) TCP portscan
</p>
</li>
<li>
<p>
<strong>122:2</strong> (port_scan) TCP decoy portscan
</p>
</li>
<li>
<p>
<strong>122:3</strong> (port_scan) TCP portsweep
</p>
</li>
<li>
<p>
<strong>122:4</strong> (port_scan) TCP distributed portscan
</p>
</li>
<li>
<p>
<strong>122:5</strong> (port_scan) TCP filtered portscan
</p>
</li>
<li>
<p>
<strong>122:6</strong> (port_scan) TCP filtered decoy portscan
</p>
</li>
<li>
<p>
<strong>122:7</strong> (port_scan) TCP filtered portsweep
</p>
</li>
<li>
<p>
<strong>122:8</strong> (port_scan) TCP filtered distributed portscan
</p>
</li>
<li>
<p>
<strong>122:9</strong> (port_scan) IP protocol scan
</p>
</li>
<li>
<p>
<strong>122:10</strong> (port_scan) IP decoy protocol scan
</p>
</li>
<li>
<p>
<strong>122:11</strong> (port_scan) IP protocol sweep
</p>
</li>
<li>
<p>
<strong>122:12</strong> (port_scan) IP distributed protocol scan
</p>
</li>
<li>
<p>
<strong>122:13</strong> (port_scan) IP filtered protocol scan
</p>
</li>
<li>
<p>
<strong>122:14</strong> (port_scan) IP filtered decoy protocol scan
</p>
</li>
<li>
<p>
<strong>122:15</strong> (port_scan) IP filtered protocol sweep
</p>
</li>
<li>
<p>
<strong>122:16</strong> (port_scan) IP filtered distributed protocol scan
</p>
</li>
<li>
<p>
<strong>122:17</strong> (port_scan) UDP portscan
</p>
</li>
<li>
<p>
<strong>122:18</strong> (port_scan) UDP decoy portscan
</p>
</li>
<li>
<p>
<strong>122:19</strong> (port_scan) UDP portsweep
</p>
</li>
<li>
<p>
<strong>122:20</strong> (port_scan) UDP distributed portscan
</p>
</li>
<li>
<p>
<strong>122:21</strong> (port_scan) UDP filtered portscan
</p>
</li>
<li>
<p>
<strong>122:22</strong> (port_scan) UDP filtered decoy portscan
</p>
</li>
<li>
<p>
<strong>122:23</strong> (port_scan) UDP filtered portsweep
</p>
</li>
<li>
<p>
<strong>122:24</strong> (port_scan) UDP filtered distributed portscan
</p>
</li>
<li>
<p>
<strong>122:25</strong> (port_scan) ICMP sweep
</p>
</li>
<li>
<p>
<strong>122:26</strong> (port_scan) ICMP filtered sweep
</p>
</li>
<li>
<p>
<strong>122:27</strong> (port_scan) open port
</p>
</li>
<li>
<p>
<strong>123:1</strong> (stream_ip) inconsistent IP options on fragmented packets
</p>
</li>
<li>
<p>
<strong>123:2</strong> (stream_ip) teardrop attack
</p>
</li>
<li>
<p>
<strong>123:3</strong> (stream_ip) short fragment, possible DOS attempt
</p>
</li>
<li>
<p>
<strong>123:4</strong> (stream_ip) fragment packet ends after defragmented packet
</p>
</li>
<li>
<p>
<strong>123:5</strong> (stream_ip) zero-byte fragment packet
</p>
</li>
<li>
<p>
<strong>123:6</strong> (stream_ip) bad fragment size, packet size is negative
</p>
</li>
<li>
<p>
<strong>123:7</strong> (stream_ip) bad fragment size, packet size is greater than 65536
</p>
</li>
<li>
<p>
<strong>123:8</strong> (stream_ip) fragmentation overlap
</p>
</li>
<li>
<p>
<strong>123:11</strong> (stream_ip) TTL value less than configured minimum, not using for reassembly
</p>
</li>
<li>
<p>
<strong>123:12</strong> (stream_ip) excessive fragment overlap
</p>
</li>
<li>
<p>
<strong>123:13</strong> (stream_ip) tiny fragment
</p>
</li>
<li>
<p>
<strong>124:1</strong> (smtp) Attempted command buffer overflow
</p>
</li>
<li>
<p>
<strong>124:2</strong> (smtp) Attempted data header buffer overflow
</p>
</li>
<li>
<p>
<strong>124:3</strong> (smtp) Attempted response buffer overflow
</p>
</li>
<li>
<p>
<strong>124:4</strong> (smtp) Attempted specific command buffer overflow
</p>
</li>
<li>
<p>
<strong>124:5</strong> (smtp) Unknown command
</p>
</li>
<li>
<p>
<strong>124:6</strong> (smtp) Illegal command
</p>
</li>
<li>
<p>
<strong>124:7</strong> (smtp) Attempted header name buffer overflow
</p>
</li>
<li>
<p>
<strong>124:8</strong> (smtp) Attempted X-Link2State command buffer overflow
</p>
</li>
<li>
<p>
<strong>124:10</strong> (smtp) Base64 Decoding failed.
</p>
</li>
<li>
<p>
<strong>124:11</strong> (smtp) Quoted-Printable Decoding failed.
</p>
</li>
<li>
<p>
<strong>124:13</strong> (smtp) Unix-to-Unix Decoding failed.
</p>
</li>
<li>
<p>
<strong>124:14</strong> (smtp) Cyrus SASL authentication attack.
</p>
</li>
<li>
<p>
<strong>125:1</strong> (ftp_server) TELNET cmd on FTP command channel
</p>
</li>
<li>
<p>
<strong>125:2</strong> (ftp_server) invalid FTP command
</p>
</li>
<li>
<p>
<strong>125:3</strong> (ftp_server) FTP command parameters were too long
</p>
</li>
<li>
<p>
<strong>125:4</strong> (ftp_server) FTP command parameters were malformed
</p>
</li>
<li>
<p>
<strong>125:5</strong> (ftp_server) FTP command parameters contained potential string format
</p>
</li>
<li>
<p>
<strong>125:6</strong> (ftp_server) FTP response message was too long
</p>
</li>
<li>
<p>
<strong>125:7</strong> (ftp_server) FTP traffic encrypted
</p>
</li>
<li>
<p>
<strong>125:8</strong> (ftp_server) FTP bounce attempt
</p>
</li>
<li>
<p>
<strong>125:9</strong> (ftp_server) evasive (incomplete) TELNET cmd on FTP command channel
</p>
</li>
<li>
<p>
<strong>126:1</strong> (telnet) consecutive telnet AYT commands beyond threshold
</p>
</li>
<li>
<p>
<strong>126:2</strong> (telnet) telnet traffic encrypted
</p>
</li>
<li>
<p>
<strong>126:3</strong> (telnet) telnet subnegotiation begin command without subnegotiation end
</p>
</li>
<li>
<p>
<strong>128:1</strong> (ssh) Challenge-Response Overflow exploit
</p>
</li>
<li>
<p>
<strong>128:2</strong> (ssh) SSH1 CRC32 exploit
</p>
</li>
<li>
<p>
<strong>128:3</strong> (ssh) Server version string overflow
</p>
</li>
<li>
<p>
<strong>128:5</strong> (ssh) Bad message direction
</p>
</li>
<li>
<p>
<strong>128:6</strong> (ssh) Payload size incorrect for the given payload
</p>
</li>
<li>
<p>
<strong>128:7</strong> (ssh) Failed to detect SSH version string
</p>
</li>
<li>
<p>
<strong>129:1</strong> (stream_tcp) SYN on established session
</p>
</li>
<li>
<p>
<strong>129:2</strong> (stream_tcp) data on SYN packet
</p>
</li>
<li>
<p>
<strong>129:3</strong> (stream_tcp) data sent on stream not accepting data
</p>
</li>
<li>
<p>
<strong>129:4</strong> (stream_tcp) TCP timestamp is outside of PAWS window
</p>
</li>
<li>
<p>
<strong>129:5</strong> (stream_tcp) bad segment, adjusted size &#8656; 0
</p>
</li>
<li>
<p>
<strong>129:6</strong> (stream_tcp) window size (after scaling) larger than policy allows
</p>
</li>
<li>
<p>
<strong>129:7</strong> (stream_tcp) limit on number of overlapping TCP packets reached
</p>
</li>
<li>
<p>
<strong>129:8</strong> (stream_tcp) data sent on stream after TCP Reset sent
</p>
</li>
<li>
<p>
<strong>129:9</strong> (stream_tcp) TCP client possibly hijacked, different ethernet address
</p>
</li>
<li>
<p>
<strong>129:10</strong> (stream_tcp) TCP Server possibly hijacked, different ethernet address
</p>
</li>
<li>
<p>
<strong>129:11</strong> (stream_tcp) TCP data with no TCP flags set
</p>
</li>
<li>
<p>
<strong>129:12</strong> (stream_tcp) consecutive TCP small segments exceeding threshold
</p>
</li>
<li>
<p>
<strong>129:13</strong> (stream_tcp) 4-way handshake detected
</p>
</li>
<li>
<p>
<strong>129:14</strong> (stream_tcp) TCP timestamp is missing
</p>
</li>
<li>
<p>
<strong>129:15</strong> (stream_tcp) reset outside window
</p>
</li>
<li>
<p>
<strong>129:16</strong> (stream_tcp) FIN number is greater than prior FIN
</p>
</li>
<li>
<p>
<strong>129:17</strong> (stream_tcp) ACK number is greater than prior FIN
</p>
</li>
<li>
<p>
<strong>129:18</strong> (stream_tcp) data sent on stream after TCP Reset received
</p>
</li>
<li>
<p>
<strong>129:19</strong> (stream_tcp) TCP window closed before receiving data
</p>
</li>
<li>
<p>
<strong>129:20</strong> (stream_tcp) TCP session without 3-way handshake
</p>
</li>
<li>
<p>
<strong>131:1</strong> (dns) Obsolete DNS RR Types
</p>
</li>
<li>
<p>
<strong>131:2</strong> (dns) Experimental DNS RR Types
</p>
</li>
<li>
<p>
<strong>131:3</strong> (dns) DNS Client rdata txt Overflow
</p>
</li>
<li>
<p>
<strong>137:1</strong> (ssl) Invalid Client HELLO after Server HELLO Detected
</p>
</li>
<li>
<p>
<strong>137:2</strong> (ssl) Invalid Server HELLO without Client HELLO Detected
</p>
</li>
<li>
<p>
<strong>137:3</strong> (ssl) Heartbeat Read Overrun Attempt Detected
</p>
</li>
<li>
<p>
<strong>137:4</strong> (ssl) Large Heartbeat Response Detected
</p>
</li>
<li>
<p>
<strong>140:1</strong> (sip) Maximum sessions reached
</p>
</li>
<li>
<p>
<strong>140:2</strong> (sip) Empty request URI
</p>
</li>
<li>
<p>
<strong>140:3</strong> (sip) URI is too long
</p>
</li>
<li>
<p>
<strong>140:4</strong> (sip) Empty call-Id
</p>
</li>
<li>
<p>
<strong>140:5</strong> (sip) Call-Id is too long
</p>
</li>
<li>
<p>
<strong>140:6</strong> (sip) CSeq number is too large or negative
</p>
</li>
<li>
<p>
<strong>140:7</strong> (sip) Request name in CSeq is too long
</p>
</li>
<li>
<p>
<strong>140:8</strong> (sip) Empty From header
</p>
</li>
<li>
<p>
<strong>140:9</strong> (sip) From header is too long
</p>
</li>
<li>
<p>
<strong>140:10</strong> (sip) Empty To header
</p>
</li>
<li>
<p>
<strong>140:11</strong> (sip) To header is too long
</p>
</li>
<li>
<p>
<strong>140:12</strong> (sip) Empty Via header
</p>
</li>
<li>
<p>
<strong>140:13</strong> (sip) Via header is too long
</p>
</li>
<li>
<p>
<strong>140:14</strong> (sip) Empty Contact
</p>
</li>
<li>
<p>
<strong>140:15</strong> (sip) Contact is too long
</p>
</li>
<li>
<p>
<strong>140:16</strong> (sip) Content length is too large or negative
</p>
</li>
<li>
<p>
<strong>140:17</strong> (sip) Multiple SIP messages in a packet
</p>
</li>
<li>
<p>
<strong>140:18</strong> (sip) Content length mismatch
</p>
</li>
<li>
<p>
<strong>140:19</strong> (sip) Request name is invalid
</p>
</li>
<li>
<p>
<strong>140:20</strong> (sip) Invite replay attack
</p>
</li>
<li>
<p>
<strong>140:21</strong> (sip) Illegal session information modification
</p>
</li>
<li>
<p>
<strong>140:22</strong> (sip) Response status code is not a 3 digit number
</p>
</li>
<li>
<p>
<strong>140:23</strong> (sip) Empty Content-type header
</p>
</li>
<li>
<p>
<strong>140:24</strong> (sip) SIP version is invalid
</p>
</li>
<li>
<p>
<strong>140:25</strong> (sip) Mismatch in METHOD of request and the CSEQ header
</p>
</li>
<li>
<p>
<strong>140:26</strong> (sip) Method is unknown
</p>
</li>
<li>
<p>
<strong>140:27</strong> (sip) Maximum dialogs within a session reached
</p>
</li>
<li>
<p>
<strong>141:1</strong> (imap) Unknown IMAP3 command
</p>
</li>
<li>
<p>
<strong>141:2</strong> (imap) Unknown IMAP3 response
</p>
</li>
<li>
<p>
<strong>141:4</strong> (imap) Base64 Decoding failed.
</p>
</li>
<li>
<p>
<strong>141:5</strong> (imap) Quoted-Printable Decoding failed.
</p>
</li>
<li>
<p>
<strong>141:7</strong> (imap) Unix-to-Unix Decoding failed.
</p>
</li>
<li>
<p>
<strong>142:1</strong> (pop) Unknown POP3 command
</p>
</li>
<li>
<p>
<strong>142:2</strong> (pop) Unknown POP3 response
</p>
</li>
<li>
<p>
<strong>142:4</strong> (pop) Base64 Decoding failed.
</p>
</li>
<li>
<p>
<strong>142:5</strong> (pop) Quoted-Printable Decoding failed.
</p>
</li>
<li>
<p>
<strong>142:7</strong> (pop) Unix-to-Unix Decoding failed.
</p>
</li>
<li>
<p>
<strong>143:1</strong> (gtp_inspect) message length is invalid
</p>
</li>
<li>
<p>
<strong>143:2</strong> (gtp_inspect) information element length is invalid
</p>
</li>
<li>
<p>
<strong>143:3</strong> (gtp_inspect) information elements are out of order
</p>
</li>
<li>
<p>
<strong>144:1</strong> (modbus) length in Modbus MBAP header does not match the length needed for the given function
</p>
</li>
<li>
<p>
<strong>144:2</strong> (modbus) Modbus protocol ID is non-zero
</p>
</li>
<li>
<p>
<strong>144:3</strong> (modbus) Reserved Modbus function code in use
</p>
</li>
<li>
<p>
<strong>219:1</strong> (new_http_inspect) ascii encoding
</p>
</li>
<li>
<p>
<strong>219:2</strong> (new_http_inspect) double decoding attack
</p>
</li>
<li>
<p>
<strong>219:3</strong> (new_http_inspect) u encoding
</p>
</li>
<li>
<p>
<strong>219:4</strong> (new_http_inspect) bare byte unicode encoding
</p>
</li>
<li>
<p>
<strong>219:5</strong> (new_http_inspect) obsolete event&#8212;should not appear
</p>
</li>
<li>
<p>
<strong>219:6</strong> (new_http_inspect) UTF-8 encoding
</p>
</li>
<li>
<p>
<strong>219:7</strong> (new_http_inspect) IIS unicode codepoint encoding
</p>
</li>
<li>
<p>
<strong>219:8</strong> (new_http_inspect) multi_slash encoding
</p>
</li>
<li>
<p>
<strong>219:9</strong> (new_http_inspect) IIS backslash evasion
</p>
</li>
<li>
<p>
<strong>219:10</strong> (new_http_inspect) self directory traversal
</p>
</li>
<li>
<p>
<strong>219:11</strong> (new_http_inspect) directory traversal
</p>
</li>
<li>
<p>
<strong>219:12</strong> (new_http_inspect) apache whitespace (tab)
</p>
</li>
<li>
<p>
<strong>219:13</strong> (new_http_inspect) non-RFC http delimiter
</p>
</li>
<li>
<p>
<strong>219:14</strong> (new_http_inspect) non-RFC defined char
</p>
</li>
<li>
<p>
<strong>219:15</strong> (new_http_inspect) oversize request-uri directory
</p>
</li>
<li>
<p>
<strong>219:16</strong> (new_http_inspect) oversize chunk encoding
</p>
</li>
<li>
<p>
<strong>219:17</strong> (new_http_inspect) unauthorized proxy use detected
</p>
</li>
<li>
<p>
<strong>219:18</strong> (new_http_inspect) webroot directory traversal
</p>
</li>
<li>
<p>
<strong>219:19</strong> (new_http_inspect) long header
</p>
</li>
<li>
<p>
<strong>219:20</strong> (new_http_inspect) max header fields
</p>
</li>
<li>
<p>
<strong>219:21</strong> (new_http_inspect) multiple content length
</p>
</li>
<li>
<p>
<strong>219:22</strong> (new_http_inspect) chunk size mismatch detected
</p>
</li>
<li>
<p>
<strong>219:23</strong> (new_http_inspect) invalid IP in true-client-IP/XFF header
</p>
</li>
<li>
<p>
<strong>219:24</strong> (new_http_inspect) multiple host hdrs detected
</p>
</li>
<li>
<p>
<strong>219:25</strong> (new_http_inspect) hostname exceeds 255 characters
</p>
</li>
<li>
<p>
<strong>219:26</strong> (new_http_inspect) header parsing space saturation
</p>
</li>
<li>
<p>
<strong>219:27</strong> (new_http_inspect) client consecutive small chunk sizes
</p>
</li>
<li>
<p>
<strong>219:28</strong> (new_http_inspect) post w/o content-length or chunks
</p>
</li>
<li>
<p>
<strong>219:29</strong> (new_http_inspect) multiple true ips in a session
</p>
</li>
<li>
<p>
<strong>219:30</strong> (new_http_inspect) both true-client-IP and XFF hdrs present
</p>
</li>
<li>
<p>
<strong>219:31</strong> (new_http_inspect) unknown method
</p>
</li>
<li>
<p>
<strong>219:32</strong> (new_http_inspect) simple request
</p>
</li>
<li>
<p>
<strong>219:33</strong> (new_http_inspect) unescaped space in HTTP URI
</p>
</li>
<li>
<p>
<strong>219:34</strong> (new_http_inspect) too many pipelined requests
</p>
</li>
<li>
<p>
<strong>219:35</strong> (new_http_inspect) anomalous http server on undefined HTTP port
</p>
</li>
<li>
<p>
<strong>219:36</strong> (new_http_inspect) invalid status code in HTTP response
</p>
</li>
<li>
<p>
<strong>219:37</strong> (new_http_inspect) no content-length or transfer-encoding in HTTP response
</p>
</li>
<li>
<p>
<strong>219:38</strong> (new_http_inspect) HTTP response has UTF charset which failed to normalize
</p>
</li>
<li>
<p>
<strong>219:39</strong> (new_http_inspect) HTTP response has UTF-7 charset
</p>
</li>
<li>
<p>
<strong>219:40</strong> (new_http_inspect) HTTP response gzip decompression failed
</p>
</li>
<li>
<p>
<strong>219:41</strong> (new_http_inspect) server consecutive small chunk sizes
</p>
</li>
<li>
<p>
<strong>219:42</strong> (new_http_inspect) invalid content-length or chunk size
</p>
</li>
<li>
<p>
<strong>219:43</strong> (new_http_inspect) javascript obfuscation levels exceeds 1
</p>
</li>
<li>
<p>
<strong>219:44</strong> (new_http_inspect) javascript whitespaces exceeds max allowed
</p>
</li>
<li>
<p>
<strong>219:45</strong> (new_http_inspect) multiple encodings within javascript obfuscated data
</p>
</li>
<li>
<p>
<strong>219:46</strong> (new_http_inspect) SWF file zlib decompression failure
</p>
</li>
<li>
<p>
<strong>219:47</strong> (new_http_inspect) SWF file LZMA decompression failure
</p>
</li>
<li>
<p>
<strong>219:48</strong> (new_http_inspect) PDF file deflate decompression failure
</p>
</li>
<li>
<p>
<strong>219:49</strong> (new_http_inspect) PDF file unsupported compression type
</p>
</li>
<li>
<p>
<strong>219:50</strong> (new_http_inspect) PDF file cascaded compression
</p>
</li>
<li>
<p>
<strong>219:51</strong> (new_http_inspect) PDF file parse failure
</p>
</li>
<li>
<p>
<strong>219:52</strong> (new_http_inspect) HTTP misformatted or not really HTTP
</p>
</li>
<li>
<p>
<strong>219:53</strong> (new_http_inspect) Chunk length has excessive leading zeros
</p>
</li>
<li>
<p>
<strong>219:54</strong> (new_http_inspect) White space before or between messages
</p>
</li>
<li>
<p>
<strong>219:55</strong> (new_http_inspect) Request message without URI
</p>
</li>
<li>
<p>
<strong>219:56</strong> (new_http_inspect) Control character in reason phrase
</p>
</li>
<li>
<p>
<strong>219:57</strong> (new_http_inspect) Illegal extra whitespace in start line
</p>
</li>
<li>
<p>
<strong>219:58</strong> (new_http_inspect) Corrupted HTTP version
</p>
</li>
<li>
<p>
<strong>219:59</strong> (new_http_inspect) Unknown HTTP version
</p>
</li>
<li>
<p>
<strong>219:60</strong> (new_http_inspect) Format error in HTTP header
</p>
</li>
<li>
<p>
<strong>219:61</strong> (new_http_inspect) Chunk header options present
</p>
</li>
<li>
<p>
<strong>219:62</strong> (new_http_inspect) URI badly formatted
</p>
</li>
<li>
<p>
<strong>219:63</strong> (new_http_inspect) URI bad port number
</p>
</li>
<li>
<p>
<strong>219:64</strong> (new_http_inspect) HTTP chunk misformatted
</p>
</li>
<li>
<p>
<strong>219:65</strong> (new_http_inspect) White space following chunk length
</p>
</li>
<li>
<p>
<strong>219:67</strong> (new_http_inspect) Excessive gzip compression
</p>
</li>
<li>
<p>
<strong>219:68</strong> (new_http_inspect) Gzip decompression failed
</p>
</li>
<li>
<p>
<strong>256:1</strong> (dpx) too much data sent to port
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_command_set">Command Set</h3>
<div class="ulist"><ul>
<li>
<p>
<strong>snort.detach</strong>(): exit shell w/o shutdown
</p>
</li>
<li>
<p>
<strong>snort.dump_stats</strong>(): show summary statistics
</p>
</li>
<li>
<p>
<strong>snort.help</strong>(): this output
</p>
</li>
<li>
<p>
<strong>snort.pause</strong>(): suspend packet processing
</p>
</li>
<li>
<p>
<strong>snort.quit</strong>(): shutdown and dump-stats
</p>
</li>
<li>
<p>
<strong>snort.reload_config</strong>(filename): load new configuration
</p>
</li>
<li>
<p>
<strong>snort.reload_hosts</strong>(filename): load a new hosts table
</p>
</li>
<li>
<p>
<strong>snort.resume</strong>(): continue packet processing
</p>
</li>
<li>
<p>
<strong>snort.rotate_stats</strong>(): roll perfmonitor log files
</p>
</li>
<li>
<p>
<strong>snort.show_plugins</strong>(): show available plugins
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_signals_2">Signals</h3>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<img src="./images/icons/important.png" alt="Important" />
</td>
<td class="content">Signal numbers are for the system that generated this
documentation and are not applicable elsewhere.</td>
</tr></table>
</div>
<div class="ulist"><ul>
<li>
<p>
<strong>hosts</strong>(16): reload hosts file
</p>
</li>
<li>
<p>
<strong>int</strong>(2): shutdown normally
</p>
</li>
<li>
<p>
<strong>quit</strong>(3): shutdown as if started with --dirty-pig
</p>
</li>
<li>
<p>
<strong>reload</strong>(1): reload config file
</p>
</li>
<li>
<p>
<strong>rotate</strong>(31): rotate stats files
</p>
</li>
<li>
<p>
<strong>stats</strong>(30): dump stats to stdout
</p>
</li>
<li>
<p>
<strong>term</strong>(15): shutdown normally
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_configuration_changes">Configuration Changes</h3>
<div class="listingblock">
<div class="content">
<pre><code>change -&gt;  dynamicdetection ==&gt; 'snort.--plugin_path=&lt;path&gt;'
change -&gt;  dynamicengine ==&gt; 'snort.--plugin_path=&lt;path&gt;'
change -&gt;  dynamicpreprocessor ==&gt; 'snort.--plugin_path=&lt;path&gt;'
change -&gt;  dynamicsidechannel ==&gt; 'snort.--plugin_path=&lt;path&gt;'
change -&gt; alertfile: 'config alertfile:' ==&gt; 'alert_fast.file'
change -&gt; alertfile: 'config alertfile:' ==&gt; 'alert_full.file'
change -&gt; attribute_table: 'STREAM_POLICY' ==&gt; 'hosts: tcp_policy'
change -&gt; attribute_table: 'filename &lt;file_name&gt;' ==&gt; 'hosts[]'
change -&gt; config ' addressspace_agnostic'  ==&gt; ' packets. address_space_agnostic'
change -&gt; config ' checksum_mode'  ==&gt; ' network. checksum_eval'
change -&gt; config ' daq'  ==&gt; ' daq. type'
change -&gt; config ' daq_dir'  ==&gt; ' daq. dir'
change -&gt; config ' daq_mode'  ==&gt; ' daq. mode'
change -&gt; config ' daq_var'  ==&gt; ' daq. var'
change -&gt; config ' detection_filter'  ==&gt; ' alerts. detection_filter_memcap'
change -&gt; config ' enable_deep_teredo_inspection'  ==&gt; ' udp. deep_teredo_inspection'
change -&gt; config ' event_filter'  ==&gt; ' alerts. event_filter_memcap'
change -&gt; config ' max_attribute_hosts'  ==&gt; ' attribute_table. max_hosts'
change -&gt; config ' max_attribute_services_per_host'  ==&gt; ' attribute_table. max_services_per_host'
change -&gt; config ' nopcre'  ==&gt; ' detection. pcre_enable'
change -&gt; config ' pkt_count'  ==&gt; ' packets. limit'
change -&gt; config ' rate_filter'  ==&gt; ' alerts. rate_filter_memcap'
change -&gt; config ' react'  ==&gt; ' react. page'
change -&gt; config ' threshold'  ==&gt; ' alerts. event_filter_memcap'
change -&gt; csv: 'dgmlen' ==&gt; 'dgm_len'
change -&gt; csv: 'dst' ==&gt; 'dst_addr'
change -&gt; csv: 'dstport' ==&gt; 'dst_port'
change -&gt; csv: 'ethdst' ==&gt; 'eth_dst'
change -&gt; csv: 'ethlen' ==&gt; 'eth_len'
change -&gt; csv: 'ethsrc' ==&gt; 'eth_src'
change -&gt; csv: 'ethtype' ==&gt; 'eth_type'
change -&gt; csv: 'icmpcode' ==&gt; 'icmp_code'
change -&gt; csv: 'icmpid' ==&gt; 'icmp_id'
change -&gt; csv: 'icmpseq' ==&gt; 'icmp_seq'
change -&gt; csv: 'icmptype' ==&gt; 'icmp_type'
change -&gt; csv: 'iplen' ==&gt; 'ip_len'
change -&gt; csv: 'sig_generator' ==&gt; 'gid'
change -&gt; csv: 'sig_id' ==&gt; 'sid'
change -&gt; csv: 'sig_rev' ==&gt; 'rev'
change -&gt; csv: 'src' ==&gt; 'src_addr'
change -&gt; csv: 'srcport' ==&gt; 'src_port'
change -&gt; csv: 'tcpack' ==&gt; 'tcp_ack'
change -&gt; csv: 'tcpflags' ==&gt; 'tcp_flags'
change -&gt; csv: 'tcplen' ==&gt; 'tcp_len'
change -&gt; csv: 'tcpseq' ==&gt; 'tcp_seq'
change -&gt; csv: 'tcpwindow' ==&gt; 'tcp_win'
change -&gt; csv: 'udplength' ==&gt; 'udp_len'
change -&gt; detection: 'ac' ==&gt; 'ac_full_q'
change -&gt; detection: 'ac-banded' ==&gt; 'ac_banded'
change -&gt; detection: 'ac-bnfa' ==&gt; 'ac_bnfa_q'
change -&gt; detection: 'ac-bnfa-nq' ==&gt; 'ac_bnfa'
change -&gt; detection: 'ac-bnfa-q' ==&gt; 'ac_bnfa_q'
change -&gt; detection: 'ac-nq' ==&gt; 'ac_full'
change -&gt; detection: 'ac-q' ==&gt; 'ac_full_q'
change -&gt; detection: 'ac-sparsebands' ==&gt; 'ac_sparse_bands'
change -&gt; detection: 'ac-split' ==&gt; 'ac_full_q'
change -&gt; detection: 'ac-split' ==&gt; 'split_any_any'
change -&gt; detection: 'ac-std' ==&gt; 'ac_std'
change -&gt; detection: 'acs' ==&gt; 'ac_sparse'
change -&gt; detection: 'bleedover-port-limit' ==&gt; 'bleedover_port_limit'
change -&gt; detection: 'intel-cpm' ==&gt; 'intel_cpm'
change -&gt; detection: 'lowmem' ==&gt; 'lowmem_q'
change -&gt; detection: 'lowmem-nq' ==&gt; 'lowmem'
change -&gt; detection: 'lowmem-q' ==&gt; 'lowmem_q'
change -&gt; detection: 'max-pattern-len' ==&gt; 'max_pattern_len'
change -&gt; detection: 'search-method' ==&gt; 'search_method'
change -&gt; detection: 'search-optimize' ==&gt; 'search_optimize'
change -&gt; detection: 'split-any-any' ==&gt; 'split_any_any'
change -&gt; dns: 'ports' ==&gt; 'bindings'
change -&gt; event_filter: 'gen_id' ==&gt; 'gid'
change -&gt; event_filter: 'sig_id' ==&gt; 'sid'
change -&gt; event_filter: 'threshold' ==&gt; 'event_filter'
change -&gt; file: 'config file: file_block_timeout' ==&gt; 'block_timeout'
change -&gt; file: 'config file: file_type_depth' ==&gt; 'type_depth'
change -&gt; file: 'config file: signature' ==&gt; 'enable_signature'
change -&gt; file: 'config file: type_id' ==&gt; 'enable_type'
change -&gt; frag3_engine: 'min_fragment_length' ==&gt; 'min_frag_length'
change -&gt; frag3_engine: 'overlap_limit' ==&gt; 'max_overlaps'
change -&gt; frag3_engine: 'policy bsd-right' ==&gt; 'policy = bsd_right'
change -&gt; frag3_engine: 'timeout' ==&gt; 'session_timeout'
change -&gt; ftp_telnet_protocol: 'alt_max_param_len' ==&gt; 'cmd_validity'
change -&gt; ftp_telnet_protocol: 'data_chan' ==&gt; 'ignore_data_chan'
change -&gt; ftp_telnet_protocol: 'ports' ==&gt; 'bindings'
change -&gt; gtp: 'ports' ==&gt; 'gtp_ports'
change -&gt; http_inspect: 'http_inspect' ==&gt; 'http_global'
change -&gt; http_inspect_server: 'apache_whitespace' ==&gt; 'profile.apache_whitespace'
change -&gt; http_inspect_server: 'ascii' ==&gt; 'profile.ascii'
change -&gt; http_inspect_server: 'bare_byte' ==&gt; 'profile.bare_byte'
change -&gt; http_inspect_server: 'chunk_length' ==&gt; 'profile.chunk_length'
change -&gt; http_inspect_server: 'client_flow_depth' ==&gt; 'profile.client_flow_depth'
change -&gt; http_inspect_server: 'directory' ==&gt; 'profile.directory'
change -&gt; http_inspect_server: 'double_decode' ==&gt; 'profile.double_decode'
change -&gt; http_inspect_server: 'enable_cookie' ==&gt; 'enable_cookies'
change -&gt; http_inspect_server: 'flow_depth' ==&gt; 'server_flow_depth'
change -&gt; http_inspect_server: 'http_inspect_server' ==&gt; 'http_inspect'
change -&gt; http_inspect_server: 'iis_backslash' ==&gt; 'profile.iis_backslash'
change -&gt; http_inspect_server: 'iis_delimiter' ==&gt; 'profile.iis_delimiter'
change -&gt; http_inspect_server: 'iis_unicode' ==&gt; 'profile.iis_unicode'
change -&gt; http_inspect_server: 'max_header_length' ==&gt; 'profile.max_header_length'
change -&gt; http_inspect_server: 'max_headers' ==&gt; 'profile.max_headers'
change -&gt; http_inspect_server: 'max_spaces' ==&gt; 'profile.max_spaces'
change -&gt; http_inspect_server: 'multi_slash' ==&gt; 'profile.multi_slash'
change -&gt; http_inspect_server: 'non_rfc_char' ==&gt; 'non_rfc_chars'
change -&gt; http_inspect_server: 'non_strict' ==&gt; 'profile.non_strict'
change -&gt; http_inspect_server: 'normalize_utf' ==&gt; 'profile.normalize_utf'
change -&gt; http_inspect_server: 'ports' ==&gt; 'bindings'
change -&gt; http_inspect_server: 'u_encode' ==&gt; 'profile.u_encode'
change -&gt; http_inspect_server: 'utf_8' ==&gt; 'profile.utf_8'
change -&gt; http_inspect_server: 'webroot' ==&gt; 'profile.webroot'
change -&gt; http_inspect_server: 'whitespace_chars' ==&gt; 'profile.whitespace_chars'
change -&gt; imap: 'ports' ==&gt; 'bindings'
change -&gt; paf_max: 'paf_max [0:63780]' ==&gt; 'max_pdu [1460:63780]'
change -&gt; perfmonitor: 'accumulate' ==&gt; 'reset = false'
change -&gt; perfmonitor: 'flow-file' ==&gt; 'flow_file = true'
change -&gt; perfmonitor: 'flow-ip' ==&gt; 'flow_ip'
change -&gt; perfmonitor: 'flow-ip-file' ==&gt; 'flow_ip_file = true'
change -&gt; perfmonitor: 'flow-ip-memcap' ==&gt; 'flow_ip_memcap'
change -&gt; perfmonitor: 'flow-ports' ==&gt; 'flow_ports'
change -&gt; perfmonitor: 'pktcnt' ==&gt; 'packets'
change -&gt; perfmonitor: 'snortfile' ==&gt; 'file = true'
change -&gt; perfmonitor: 'time' ==&gt; 'seconds'
change -&gt; policy_mode: 'inline_test' ==&gt; 'inline-test'
change -&gt; pop: 'ports' ==&gt; 'bindings'
change -&gt; ppm: 'max-pkt-time' ==&gt; 'max_pkt_time'
change -&gt; ppm: 'max-rule-time' ==&gt; 'max_rule_time'
change -&gt; ppm: 'pkt-log' ==&gt; 'pkt_log'
change -&gt; ppm: 'rule-log' ==&gt; 'rule_log'
change -&gt; ppm: 'suspend-timeout' ==&gt; 'suspend_timeout'
change -&gt; preprocessor 'normalize_ icmp4' ==&gt; 'normalize. icmp4'
change -&gt; preprocessor 'normalize_ icmp6' ==&gt; 'normalize. icmp6'
change -&gt; preprocessor 'normalize_ ip6' ==&gt; 'normalize. ip6'
change -&gt; profile: 'print' ==&gt; 'count'
change -&gt; rate_filter: 'gen_id' ==&gt; 'gid'
change -&gt; rate_filter: 'sig_id' ==&gt; 'sid'
change -&gt; rule_state: 'disabled' ==&gt; 'enable'
change -&gt; rule_state: 'enabled' ==&gt; 'enable'
change -&gt; sfportscan: 'proto' ==&gt; 'protos'
change -&gt; sfportscan: 'scan_type' ==&gt; 'scan_types'
change -&gt; sip: 'ports' ==&gt; 'bindings'
change -&gt; smtp: 'ports' ==&gt; 'bindings'
change -&gt; ssh: 'server_ports' ==&gt; 'bindings'
change -&gt; ssl: 'ports' ==&gt; 'bindings'
change -&gt; stream5_global: 'max_active_responses' ==&gt; 'max_responses'
change -&gt; stream5_global: 'max_icmp' ==&gt; 'max_sessions'
change -&gt; stream5_global: 'max_ip' ==&gt; 'max_sessions'
change -&gt; stream5_global: 'max_tcp' ==&gt; 'max_sessions'
change -&gt; stream5_global: 'max_udp' ==&gt; 'max_sessions'
change -&gt; stream5_global: 'min_response_seconds' ==&gt; 'min_interval'
change -&gt; stream5_global: 'prune_log_max' ==&gt; 'histogram'
change -&gt; stream5_global: 'tcp_cache_nominal_timeout' ==&gt; 'pruning_timeout'
change -&gt; stream5_global: 'tcp_cache_pruning_timeout' ==&gt; 'idle_timeout'
change -&gt; stream5_global: 'udp_cache_nominal_timeout' ==&gt; 'idle_timeout'
change -&gt; stream5_global: 'udp_cache_pruning_timeout' ==&gt; 'pruning_timeout'
change -&gt; stream5_ip: 'timeout' ==&gt; 'session_timeout'
change -&gt; stream5_tcp: 'bind_to' ==&gt; 'bindings'
change -&gt; stream5_tcp: 'dont_reassemble_async' ==&gt; 'reassemble_async'
change -&gt; stream5_tcp: 'max_queued_bytes' ==&gt; 'queue_limit.max_bytes'
change -&gt; stream5_tcp: 'max_queued_segs' ==&gt; 'queue_limit.max_segments'
change -&gt; stream5_tcp: 'policy hpux' ==&gt; 'stream_tcp.policy = hpux11'
change -&gt; stream5_tcp: 'timeout' ==&gt; 'session_timeout'
change -&gt; stream5_tcp: 'use_static_footprint_sizes' ==&gt; 'footprint'
change -&gt; stream5_udp: 'timeout' ==&gt; 'session_timeout'
change -&gt; suppress: 'gen_id' ==&gt; 'gid'
change -&gt; suppress: 'sig_id' ==&gt; 'sid'
change -&gt; syslog: 'log_alert' ==&gt; 'level = alert'
change -&gt; syslog: 'log_auth' ==&gt; 'facility = auth'
change -&gt; syslog: 'log_authpriv' ==&gt; 'facility = authpriv'
change -&gt; syslog: 'log_cons' ==&gt; 'options = cons'
change -&gt; syslog: 'log_crit' ==&gt; 'level = crit'
change -&gt; syslog: 'log_daemon' ==&gt; 'facility = daemon'
change -&gt; syslog: 'log_debug' ==&gt; 'level = debug'
change -&gt; syslog: 'log_emerg' ==&gt; 'level = emerg'
change -&gt; syslog: 'log_err' ==&gt; 'level = err'
change -&gt; syslog: 'log_info' ==&gt; 'level = info'
change -&gt; syslog: 'log_local0' ==&gt; 'facility = local0'
change -&gt; syslog: 'log_local1' ==&gt; 'facility = local1'
change -&gt; syslog: 'log_local2' ==&gt; 'facility = local2'
change -&gt; syslog: 'log_local3' ==&gt; 'facility = local3'
change -&gt; syslog: 'log_local4' ==&gt; 'facility = local4'
change -&gt; syslog: 'log_local5' ==&gt; 'facility = local5'
change -&gt; syslog: 'log_local6' ==&gt; 'facility = local6'
change -&gt; syslog: 'log_local7' ==&gt; 'facility = local7'
change -&gt; syslog: 'log_ndelay' ==&gt; 'options = ndelay'
change -&gt; syslog: 'log_notice' ==&gt; 'level = notice'
change -&gt; syslog: 'log_perror' ==&gt; 'options = perror'
change -&gt; syslog: 'log_pid' ==&gt; 'options = pid'
change -&gt; syslog: 'log_user' ==&gt; 'facility = user'
change -&gt; syslog: 'log_warning' ==&gt; 'level = warning'
change -&gt; threshold: 'ips_option: threshold' ==&gt; 'event_filter'
change -&gt; unified2: ' alert_unified2' ==&gt; 'unified2'
change -&gt; unified2: ' log_unified2' ==&gt; 'unified2'
change -&gt; unified2: ' unified2' ==&gt; 'unified2'
deleted -&gt; arpspoof: 'unicast'
deleted -&gt; attribute_table: '&lt;FRAG_POLICY&gt;hpux&lt;/FRAG_POLICY&gt;'
deleted -&gt; attribute_table: '&lt;FRAG_POLICY&gt;irix&lt;/FRAG_POLICY&gt;'
deleted -&gt; attribute_table: '&lt;FRAG_POLICY&gt;old-linux&lt;/FRAG_POLICY&gt;'
deleted -&gt; attribute_table: '&lt;FRAG_POLICY&gt;unknown&lt;/FRAG_POLICY&gt;'
deleted -&gt; attribute_table: '&lt;STREAM_POLICY&gt;noack&lt;/STREAM_POLICY&gt;'
deleted -&gt; attribute_table: '&lt;STREAM_POLICY&gt;unknown&lt;/STREAM_POLICY&gt;'
deleted -&gt; config ' cs_dir'
deleted -&gt; config ' disable_attribute_reload_thread'
deleted -&gt; config ' disable_decode_alerts'
deleted -&gt; config ' disable_decode_drops'
deleted -&gt; config ' disable_ipopt_alerts'
deleted -&gt; config ' disable_ipopt_drops'
deleted -&gt; config ' disable_tcpopt_alerts'
deleted -&gt; config ' disable_tcpopt_drops'
deleted -&gt; config ' disable_tcpopt_experimental_alerts'
deleted -&gt; config ' disable_tcpopt_experimental_drops'
deleted -&gt; config ' disable_tcpopt_obsolete_alerts'
deleted -&gt; config ' disable_tcpopt_obsolete_drops'
deleted -&gt; config ' disable_tcpopt_ttcp_alerts'
deleted -&gt; config ' disable_ttcp_alerts'
deleted -&gt; config ' disable_ttcp_drops'
deleted -&gt; config ' dump_dynamic_rules_path'
deleted -&gt; config ' enable_decode_drops'
deleted -&gt; config ' enable_decode_oversized_alerts'
deleted -&gt; config ' enable_decode_oversized_drops'
deleted -&gt; config ' enable_ipopt_drops'
deleted -&gt; config ' enable_tcpopt_drops'
deleted -&gt; config ' enable_tcpopt_experimental_drops'
deleted -&gt; config ' enable_tcpopt_obsolete_drops'
deleted -&gt; config ' enable_tcpopt_ttcp_drops'
deleted -&gt; config ' enable_ttcp_drops'
deleted -&gt; config ' flexresp2_attempts'
deleted -&gt; config ' flexresp2_interface'
deleted -&gt; config ' flexresp2_memcap'
deleted -&gt; config ' flexresp2_rows'
deleted -&gt; config ' flowbits_size'
deleted -&gt; config ' include_vlan_in_alerts'
deleted -&gt; config ' interface'
deleted -&gt; config ' layer2resets'
deleted -&gt; config ' policy_version'
deleted -&gt; config ' so_rule_memcap'
deleted -&gt; csv: '&lt;filename&gt; can no longer be specific'
deleted -&gt; csv: 'default'
deleted -&gt; csv: 'trheader'
deleted -&gt; detection: 'mwm'
deleted -&gt; dns: 'enable_experimental_types'
deleted -&gt; dns: 'enable_obsolete_types'
deleted -&gt; dns: 'enable_rdata_overflow'
deleted -&gt; fast: '&lt;filename&gt; can no longer be specific'
deleted -&gt; frag3_engine: 'detect_anomalies'
deleted -&gt; frag3_global: 'disabled'
deleted -&gt; ftp_telnet_protocol: 'detect_anomalies'
deleted -&gt; full: '&lt;filename&gt; can no longer be specific'
deleted -&gt; http_inspect: 'disabled'
deleted -&gt; http_inspect_server: 'no_alerts'
deleted -&gt; imap: 'disabled'
deleted -&gt; imap: 'max_mime_mem'
deleted -&gt; imap: 'memcap'
deleted -&gt; perfmonitor: 'atexitonly'
deleted -&gt; perfmonitor: 'atexitonly: base-stats'
deleted -&gt; perfmonitor: 'atexitonly: events-stats'
deleted -&gt; perfmonitor: 'atexitonly: flow-ip-stats'
deleted -&gt; perfmonitor: 'atexitonly: flow-stats'
deleted -&gt; pop: 'disabled'
deleted -&gt; pop: 'max_mime_mem'
deleted -&gt; pop: 'memcap'
deleted -&gt; ppm: 'debug-pkts'
deleted -&gt; react: 'block'
deleted -&gt; react: 'warn'
deleted -&gt; rpc_decode: 'alert_fragments'
deleted -&gt; rpc_decode: 'no_alert_incomplete'
deleted -&gt; rpc_decode: 'no_alert_large_fragments'
deleted -&gt; rpc_decode: 'no_alert_multiple_requests'
deleted -&gt; rule_state: 'action'
deleted -&gt; sfportscan: 'detect_ack_scans'
deleted -&gt; sfportscan: 'disabled'
deleted -&gt; sfportscan: 'logfile'
deleted -&gt; sip: 'disabled'
deleted -&gt; smtp: 'alert_unknown_cmds'
deleted -&gt; smtp: 'disabled'
deleted -&gt; smtp: 'enable_mime_decoding'
deleted -&gt; smtp: 'inspection_type'
deleted -&gt; smtp: 'max_mime_depth'
deleted -&gt; smtp: 'max_mime_mem'
deleted -&gt; smtp: 'memcap'
deleted -&gt; smtp: 'no_alerts'
deleted -&gt; smtp: 'print_cmds'
deleted -&gt; ssh: 'autodetect'
deleted -&gt; ssh: 'enable_badmsgdir'
deleted -&gt; ssh: 'enable_paysize'
deleted -&gt; ssh: 'enable_protomismatch'
deleted -&gt; ssh: 'enable_recognition'
deleted -&gt; ssh: 'enable_respoverflow'
deleted -&gt; ssh: 'enable_srvoverflow'
deleted -&gt; ssh: 'enable_ssh1crc32'
deleted -&gt; ssl: 'noinspect_encrypted'
deleted -&gt; stream5_global: 'disabled'
deleted -&gt; stream5_global: 'flush_on_alert'
deleted -&gt; stream5_global: 'no_midstream_drop_alerts'
deleted -&gt; stream5_tcp: 'check_session_hijacking'
deleted -&gt; stream5_tcp: 'detect_anomalies'
deleted -&gt; stream5_tcp: 'dont_store_large_packets'
deleted -&gt; stream5_tcp: 'policy noack'
deleted -&gt; stream5_tcp: 'policy unknown'
deleted -&gt; tcpdump: '&lt;filename&gt; can no longer be specific'
deleted -&gt; test: 'file'
deleted -&gt; test: 'stdout'
deleted -&gt; unified2: 'filename'</code></pre>
</div></div>
</div>
<div class="sect2">
<h3 id="_module_listing">Module Listing</h3>
<div class="ulist"><ul>
<li>
<p>
<strong>ack</strong> (ips_option): rule option to match on TCP ack numbers
</p>
</li>
<li>
<p>
<strong>active</strong> (basic): configure responses
</p>
</li>
<li>
<p>
<strong>alert_csv</strong> (logger): output event in csv format
</p>
</li>
<li>
<p>
<strong>alert_ex</strong> (logger): output gid:sid:rev for alerts
</p>
</li>
<li>
<p>
<strong>alert_fast</strong> (logger): output event with brief text format
</p>
</li>
<li>
<p>
<strong>alert_full</strong> (logger): output event with full packet dump
</p>
</li>
<li>
<p>
<strong>alert_syslog</strong> (logger): output event to syslog
</p>
</li>
<li>
<p>
<strong>alert_unixsock</strong> (logger): output event over unix socket
</p>
</li>
<li>
<p>
<strong>alerts</strong> (basic): configure alerts
</p>
</li>
<li>
<p>
<strong>arp</strong> (codec): support for address resolution protocol
</p>
</li>
<li>
<p>
<strong>arp_spoof</strong> (inspector): detect ARP attacks and anomalies
</p>
</li>
<li>
<p>
<strong>asn1</strong> (ips_option): rule option for asn1 detection
</p>
</li>
<li>
<p>
<strong>attribute_table</strong> (basic): configure hosts loading
</p>
</li>
<li>
<p>
<strong>auth</strong> (codec): support for IP authentication header
</p>
</li>
<li>
<p>
<strong>back_orifice</strong> (inspector): back orifice detection
</p>
</li>
<li>
<p>
<strong>base64_decode</strong> (ips_option): rule option to decode base64 data - must be used with base64_data option
</p>
</li>
<li>
<p>
<strong>binder</strong> (inspector): configure processing based on CIDRs, ports, services, etc.
</p>
</li>
<li>
<p>
<strong>bufferlen</strong> (ips_option): rule option to check length of current buffer
</p>
</li>
<li>
<p>
<strong>byte_extract</strong> (ips_option): rule option to convert data to an integer variable
</p>
</li>
<li>
<p>
<strong>byte_jump</strong> (ips_option): rule option to move the detection cursor
</p>
</li>
<li>
<p>
<strong>byte_test</strong> (ips_option): rule option to convert data to integer and compare
</p>
</li>
<li>
<p>
<strong>classifications</strong> (basic): define rule categories with priority
</p>
</li>
<li>
<p>
<strong>classtype</strong> (ips_option): general rule option for rule classification
</p>
</li>
<li>
<p>
<strong>content</strong> (ips_option): payload rule option for basic pattern matching
</p>
</li>
<li>
<p>
<strong>cvs</strong> (ips_option): payload rule option for detecting specific attacks
</p>
</li>
<li>
<p>
<strong>daq</strong> (basic): configure packet acquisition interface
</p>
</li>
<li>
<p>
<strong>data_log</strong> (inspector): log selected published data to data.log
</p>
</li>
<li>
<p>
<strong>decode</strong> (basic): general decoder rules
</p>
</li>
<li>
<p>
<strong>detection</strong> (basic): configure general IPS rule processing parameters
</p>
</li>
<li>
<p>
<strong>detection_filter</strong> (ips_option): rule option to require multiple hits before a rule generates an event
</p>
</li>
<li>
<p>
<strong>dns</strong> (inspector): dns inspection
</p>
</li>
<li>
<p>
<strong>dpx</strong> (inspector): dynamic inspector example
</p>
</li>
<li>
<p>
<strong>dsize</strong> (ips_option): rule option to test payload size
</p>
</li>
<li>
<p>
<strong>eapol</strong> (codec): support for extensible authentication protocol over LAN
</p>
</li>
<li>
<p>
<strong>erspan2</strong> (codec): support for encapsulated remote switched port analyzer - type 2
</p>
</li>
<li>
<p>
<strong>erspan3</strong> (codec): support for encapsulated remote switched port analyzer - type 3
</p>
</li>
<li>
<p>
<strong>esp</strong> (codec): support for encapsulating security payload
</p>
</li>
<li>
<p>
<strong>eth</strong> (codec): support for ethernet protocol (DLT 1) (DLT 51)
</p>
</li>
<li>
<p>
<strong>event_filter</strong> (basic): configure thresholding of events
</p>
</li>
<li>
<p>
<strong>event_queue</strong> (basic): configure event queue parameters
</p>
</li>
<li>
<p>
<strong>fabricpath</strong> (codec): support for fabricpath
</p>
</li>
<li>
<p>
<strong>file_data</strong> (ips_option): rule option to set detection cursor to file data
</p>
</li>
<li>
<p>
<strong>file_id</strong> (basic): configure file identification
</p>
</li>
<li>
<p>
<strong>flags</strong> (ips_option): rule option to test TCP control flags
</p>
</li>
<li>
<p>
<strong>flow</strong> (ips_option): rule option to check session properties
</p>
</li>
<li>
<p>
<strong>flowbits</strong> (ips_option): rule option to set and test arbitrary boolean flags
</p>
</li>
<li>
<p>
<strong>fragbits</strong> (ips_option): rule option to test IP frag flags
</p>
</li>
<li>
<p>
<strong>fragoffset</strong> (ips_option): rule option to test IP frag offset
</p>
</li>
<li>
<p>
<strong>ftp_client</strong> (inspector): FTP client configuration module for use with ftp_server
</p>
</li>
<li>
<p>
<strong>ftp_data</strong> (inspector): FTP data channel handler
</p>
</li>
<li>
<p>
<strong>ftp_server</strong> (inspector): main FTP module; ftp_client should also be configured
</p>
</li>
<li>
<p>
<strong>gid</strong> (ips_option): rule option specifying rule generator
</p>
</li>
<li>
<p>
<strong>gre</strong> (codec): support for generic routing encapsulation
</p>
</li>
<li>
<p>
<strong>gtp</strong> (codec): support for general-packet-radio-service tunnelling protocol
</p>
</li>
<li>
<p>
<strong>gtp_info</strong> (ips_option): rule option to check gtp info element
</p>
</li>
<li>
<p>
<strong>gtp_inspect</strong> (inspector): gtp control channel inspection
</p>
</li>
<li>
<p>
<strong>gtp_type</strong> (ips_option): rule option to check gtp types
</p>
</li>
<li>
<p>
<strong>gtp_version</strong> (ips_option): rule option to check gtp version
</p>
</li>
<li>
<p>
<strong>hosts</strong> (basic): configure hosts
</p>
</li>
<li>
<p>
<strong>http_client_body</strong> (ips_option): rule option to set the detection cursor to the request body
</p>
</li>
<li>
<p>
<strong>http_cookie</strong> (ips_option): rule option to set the detection cursor to the HTTP cookie
</p>
</li>
<li>
<p>
<strong>http_global</strong> (inspector): http inspector global configuration and client rules for use with http_server
</p>
</li>
<li>
<p>
<strong>http_header</strong> (ips_option): rule option to set the detection cursor to the normalized header(s)
</p>
</li>
<li>
<p>
<strong>http_inspect</strong> (inspector): http inspection and server rules; also configure http_inspect
</p>
</li>
<li>
<p>
<strong>http_method</strong> (ips_option): rule option to set the detection cursor to the HTTP request method
</p>
</li>
<li>
<p>
<strong>http_raw_cookie</strong> (ips_option): rule option to set the detection cursor to the unnormalized cookie
</p>
</li>
<li>
<p>
<strong>http_raw_header</strong> (ips_option): rule option to set the detection cursor to the unnormalized headers
</p>
</li>
<li>
<p>
<strong>http_raw_uri</strong> (ips_option): rule option to set the detection cursor to the unnormalized URI
</p>
</li>
<li>
<p>
<strong>http_stat_code</strong> (ips_option): rule option to set the detection cursor to the HTTP status code
</p>
</li>
<li>
<p>
<strong>http_stat_msg</strong> (ips_option): rule option to set the detection cursor to the HTTP status message
</p>
</li>
<li>
<p>
<strong>http_uri</strong> (ips_option): rule option to set the detection cursor to the normalized URI buffer
</p>
</li>
<li>
<p>
<strong>icmp4</strong> (codec): support for Internet control message protocol v4
</p>
</li>
<li>
<p>
<strong>icmp6</strong> (codec): support for Internet control message protocol v6
</p>
</li>
<li>
<p>
<strong>icmp_id</strong> (ips_option): rule option to check ICMP ID
</p>
</li>
<li>
<p>
<strong>icmp_seq</strong> (ips_option): rule option to check ICMP sequence number
</p>
</li>
<li>
<p>
<strong>icode</strong> (ips_option): rule option to check ICMP code
</p>
</li>
<li>
<p>
<strong>id</strong> (ips_option): rule option to check the IP ID field
</p>
</li>
<li>
<p>
<strong>igmp</strong> (codec): support for Internet group management protocol
</p>
</li>
<li>
<p>
<strong>imap</strong> (inspector): imap inspection
</p>
</li>
<li>
<p>
<strong>ip_proto</strong> (ips_option): rule option to check the IP protocol number
</p>
</li>
<li>
<p>
<strong>ipopts</strong> (ips_option): rule option to check for IP options
</p>
</li>
<li>
<p>
<strong>ips</strong> (basic): configure IPS rule processing
</p>
</li>
<li>
<p>
<strong>ipv4</strong> (codec): support for Internet protocol v4
</p>
</li>
<li>
<p>
<strong>ipv6</strong> (codec): support for Internet protocol v6
</p>
</li>
<li>
<p>
<strong>isdataat</strong> (ips_option): rule option to check for the presence of payload data
</p>
</li>
<li>
<p>
<strong>itype</strong> (ips_option): rule option to check ICMP type
</p>
</li>
<li>
<p>
<strong>log_codecs</strong> (logger): log protocols in packet by layer
</p>
</li>
<li>
<p>
<strong>log_hext</strong> (logger): output payload suitable for daq hext
</p>
</li>
<li>
<p>
<strong>log_pcap</strong> (logger): log packet in pcap format
</p>
</li>
<li>
<p>
<strong>lowmem_q</strong> (search_engine): MPSE that minimizes memory used
</p>
</li>
<li>
<p>
<strong>md5</strong> (ips_option): payload rule option for hash matching
</p>
</li>
<li>
<p>
<strong>metadata</strong> (ips_option): rule option for conveying arbitrary name, value data within the rule text
</p>
</li>
<li>
<p>
<strong>modbus</strong> (inspector): modbus inspection
</p>
</li>
<li>
<p>
<strong>modbus_data</strong> (ips_option): rule option to set cursor to modbus data
</p>
</li>
<li>
<p>
<strong>modbus_func</strong> (ips_option): rule option to check modbus function code
</p>
</li>
<li>
<p>
<strong>modbus_unit</strong> (ips_option): rule option to check modbus unit ID
</p>
</li>
<li>
<p>
<strong>mpls</strong> (codec): support for multiprotocol label switching
</p>
</li>
<li>
<p>
<strong>msg</strong> (ips_option): rule option summarizing rule purpose output with events
</p>
</li>
<li>
<p>
<strong>network</strong> (basic): configure basic network parameters
</p>
</li>
<li>
<p>
<strong>new_http_inspect</strong> (inspector): new HTTP inspector
</p>
</li>
<li>
<p>
<strong>normalizer</strong> (inspector): packet scrubbing for inline mode
</p>
</li>
<li>
<p>
<strong>output</strong> (basic): configure general output parameters
</p>
</li>
<li>
<p>
<strong>packets</strong> (basic): configure basic packet handling
</p>
</li>
<li>
<p>
<strong>pcre</strong> (ips_option): rule option for matching payload data with regex
</p>
</li>
<li>
<p>
<strong>perf_monitor</strong> (inspector): performance monitoring and flow statistics collection
</p>
</li>
<li>
<p>
<strong>pgm</strong> (codec): support for pragmatic general multicast
</p>
</li>
<li>
<p>
<strong>pkt_data</strong> (ips_option): rule option to set the detection cursor to the normalized packet data
</p>
</li>
<li>
<p>
<strong>pkt_num</strong> (ips_option): alert on raw packet number
</p>
</li>
<li>
<p>
<strong>pop</strong> (inspector): pop inspection
</p>
</li>
<li>
<p>
<strong>port_scan</strong> (inspector): port scan inspector; also configure port_scan_global
</p>
</li>
<li>
<p>
<strong>port_scan_global</strong> (inspector): shared settings for port_scan inspectors for use with port_scan
</p>
</li>
<li>
<p>
<strong>pppoe</strong> (codec): support for point-to-point protocol over ethernet
</p>
</li>
<li>
<p>
<strong>priority</strong> (ips_option): rule option for prioritizing events
</p>
</li>
<li>
<p>
<strong>process</strong> (basic): configure basic process setup
</p>
</li>
<li>
<p>
<strong>rate_filter</strong> (basic): configure rate filters (which change rule actions)
</p>
</li>
<li>
<p>
<strong>raw_data</strong> (ips_option): rule option to set the detection cursor to the raw packet data
</p>
</li>
<li>
<p>
<strong>react</strong> (ips_action): send response to client and terminate session
</p>
</li>
<li>
<p>
<strong>reference</strong> (ips_option): rule option to indicate relevant attack identification system
</p>
</li>
<li>
<p>
<strong>references</strong> (basic): define reference systems used in rules
</p>
</li>
<li>
<p>
<strong>reject</strong> (ips_action): terminate session with TCP reset or ICMP unreachable
</p>
</li>
<li>
<p>
<strong>rem</strong> (ips_option): rule option to convey an arbitrary comment in the rule body
</p>
</li>
<li>
<p>
<strong>replace</strong> (ips_option): rule option to overwrite payload data; use with rewrite action
</p>
</li>
<li>
<p>
<strong>rev</strong> (ips_option): rule option to indicate current revision of signature
</p>
</li>
<li>
<p>
<strong>rewrite</strong> (ips_action): overwrite packet contents
</p>
</li>
<li>
<p>
<strong>rpc</strong> (ips_option): rule option to check SUNRPC CALL parameters
</p>
</li>
<li>
<p>
<strong>rpc_decode</strong> (inspector): RPC inspector
</p>
</li>
<li>
<p>
<strong>rule_state</strong> (basic): enable/disable specific IPS rules
</p>
</li>
<li>
<p>
<strong>search_engine</strong> (basic): configure fast pattern matcher
</p>
</li>
<li>
<p>
<strong>seq</strong> (ips_option): rule option to check TCP sequence number
</p>
</li>
<li>
<p>
<strong>session</strong> (ips_option): rule option to check user data from TCP sessions
</p>
</li>
<li>
<p>
<strong>sha256</strong> (ips_option): payload rule option for hash matching
</p>
</li>
<li>
<p>
<strong>sha512</strong> (ips_option): payload rule option for hash matching
</p>
</li>
<li>
<p>
<strong>sid</strong> (ips_option): rule option to indicate signature number
</p>
</li>
<li>
<p>
<strong>sip</strong> (inspector): sip inspection
</p>
</li>
<li>
<p>
<strong>sip_body</strong> (ips_option): rule option to set the detection cursor to the request body
</p>
</li>
<li>
<p>
<strong>sip_header</strong> (ips_option): rule option to set the detection cursor to the SIP header buffer
</p>
</li>
<li>
<p>
<strong>sip_method</strong> (ips_option): detection option for sip stat code
</p>
</li>
<li>
<p>
<strong>sip_stat_code</strong> (ips_option): detection option for sip stat code
</p>
</li>
<li>
<p>
<strong>smtp</strong> (inspector): smtp inspection
</p>
</li>
<li>
<p>
<strong>snort</strong> (basic): command line configuration and shell commands
</p>
</li>
<li>
<p>
<strong>so</strong> (ips_option): rule option to call custom eval function
</p>
</li>
<li>
<p>
<strong>soid</strong> (ips_option): rule option to specify a shared object rule ID
</p>
</li>
<li>
<p>
<strong>ssh</strong> (inspector): ssh inspection
</p>
</li>
<li>
<p>
<strong>ssl</strong> (inspector): ssl inspection
</p>
</li>
<li>
<p>
<strong>ssl_state</strong> (ips_option): detection option for ssl state
</p>
</li>
<li>
<p>
<strong>ssl_version</strong> (ips_option): detection option for ssl version
</p>
</li>
<li>
<p>
<strong>stream</strong> (inspector): common flow tracking
</p>
</li>
<li>
<p>
<strong>stream_file</strong> (inspector): stream inspector for file flow tracking and processing
</p>
</li>
<li>
<p>
<strong>stream_icmp</strong> (inspector): stream inspector for ICMP flow tracking
</p>
</li>
<li>
<p>
<strong>stream_ip</strong> (inspector): stream inspector for IP flow tracking and defragmentation
</p>
</li>
<li>
<p>
<strong>stream_reassemble</strong> (ips_option): detection option for stream reassembly control
</p>
</li>
<li>
<p>
<strong>stream_size</strong> (ips_option): detection option for stream size checking
</p>
</li>
<li>
<p>
<strong>stream_tcp</strong> (inspector): stream inspector for TCP flow tracking and stream normalization and reassembly
</p>
</li>
<li>
<p>
<strong>stream_udp</strong> (inspector): stream inspector for UDP flow tracking
</p>
</li>
<li>
<p>
<strong>stream_user</strong> (inspector): stream inspector for user flow tracking and reassembly
</p>
</li>
<li>
<p>
<strong>suppress</strong> (basic): configure event suppressions
</p>
</li>
<li>
<p>
<strong>tag</strong> (ips_option): rule option to log additional packets
</p>
</li>
<li>
<p>
<strong>tcp</strong> (codec): support for transmission control protocol
</p>
</li>
<li>
<p>
<strong>telnet</strong> (inspector): telnet inspection and normalization
</p>
</li>
<li>
<p>
<strong>token_ring</strong> (codec): support for token ring decoding
</p>
</li>
<li>
<p>
<strong>tos</strong> (ips_option): rule option to check type of service field
</p>
</li>
<li>
<p>
<strong>ttl</strong> (ips_option): rule option to check time to live field
</p>
</li>
<li>
<p>
<strong>udp</strong> (codec): support for user datagram protocol
</p>
</li>
<li>
<p>
<strong>unified2</strong> (logger): output event and packet in unified2 format file
</p>
</li>
<li>
<p>
<strong>urg</strong> (ips_option): detection for TCP urgent pointer
</p>
</li>
<li>
<p>
<strong>vlan</strong> (codec): support for local area network
</p>
</li>
<li>
<p>
<strong>window</strong> (ips_option): rule option to check TCP window field
</p>
</li>
<li>
<p>
<strong>wizard</strong> (inspector): inspector that implements port-independent protocol identification
</p>
</li>
<li>
<p>
<strong>wlan</strong> (codec): support for wireless local area network protocol (DLT 105)
:leveloffset: 0
</p>
</li>
</ul></div>
<div class="sect3">
<h4 id="_plugin_listing">Plugin Listing</h4>
<div class="ulist"><ul>
<li>
<p>
<strong>codec::arp</strong>: support for address resolution protocol
</p>
</li>
<li>
<p>
<strong>codec::auth</strong>: support for IP authentication header
</p>
</li>
<li>
<p>
<strong>codec::eapol</strong>: support for extensible authentication protocol over LAN
</p>
</li>
<li>
<p>
<strong>codec::erspan2</strong>: support for encapsulated remote switched port analyzer - type 2
</p>
</li>
<li>
<p>
<strong>codec::erspan3</strong>: support for encapsulated remote switched port analyzer - type 3
</p>
</li>
<li>
<p>
<strong>codec::esp</strong>: support for encapsulating security payload
</p>
</li>
<li>
<p>
<strong>codec::eth</strong>: support for ethernet protocol (DLT 1) (DLT 51)
</p>
</li>
<li>
<p>
<strong>codec::fabricpath</strong>: support for fabricpath
</p>
</li>
<li>
<p>
<strong>codec::gre</strong>: support for generic routing encapsulation
</p>
</li>
<li>
<p>
<strong>codec::gtp</strong>: support for general-packet-radio-service tunnelling protocol
</p>
</li>
<li>
<p>
<strong>codec::i4l_rawip</strong>: support for I4L IP
</p>
</li>
<li>
<p>
<strong>codec::icmp4</strong>: support for Internet control message protocol v4
</p>
</li>
<li>
<p>
<strong>codec::icmp4_ip</strong>: support for IP in ICMPv4
</p>
</li>
<li>
<p>
<strong>codec::icmp6</strong>: support for Internet control message protocol v6
</p>
</li>
<li>
<p>
<strong>codec::icmp6_ip</strong>: support for IP in ICMPv6
</p>
</li>
<li>
<p>
<strong>codec::igmp</strong>: support for Internet group management protocol
</p>
</li>
<li>
<p>
<strong>codec::ipv4</strong>: support for Internet protocol v4
</p>
</li>
<li>
<p>
<strong>codec::ipv6</strong>: support for Internet protocol v6
</p>
</li>
<li>
<p>
<strong>codec::ipv6_dst_opts</strong>: support for ipv6 destination options
</p>
</li>
<li>
<p>
<strong>codec::ipv6_frag</strong>: support for IPv6 fragment decoding
</p>
</li>
<li>
<p>
<strong>codec::ipv6_hop_opts</strong>: support for IPv6 hop options
</p>
</li>
<li>
<p>
<strong>codec::ipv6_mobility</strong>: support for mobility
</p>
</li>
<li>
<p>
<strong>codec::ipv6_no_next</strong>: sentinel codec
</p>
</li>
<li>
<p>
<strong>codec::ipv6_routing</strong>: support for IPv6 routing extension
</p>
</li>
<li>
<p>
<strong>codec::linux_sll</strong>: support for Linux SLL (DLT 113)
</p>
</li>
<li>
<p>
<strong>codec::llc</strong>: support for logical link control
</p>
</li>
<li>
<p>
<strong>codec::mpls</strong>: support for multiprotocol label switching
</p>
</li>
<li>
<p>
<strong>codec::null</strong>: support for null encapsulation (DLT 0)
</p>
</li>
<li>
<p>
<strong>codec::pflog</strong>: support for OpenBSD PF log (DLT 117)
</p>
</li>
<li>
<p>
<strong>codec::pgm</strong>: support for pragmatic general multicast
</p>
</li>
<li>
<p>
<strong>codec::pim</strong>: support for protocol independent multicast
</p>
</li>
<li>
<p>
<strong>codec::ppp</strong>: support for point-to-point encapsulation (DLT DLT_PPP)
</p>
</li>
<li>
<p>
<strong>codec::ppp_encap</strong>: support for point-to-point encapsulation
</p>
</li>
<li>
<p>
<strong>codec::pppoe_disc</strong>: support for point-to-point discovery
</p>
</li>
<li>
<p>
<strong>codec::pppoe_sess</strong>: support for point-to-point session
</p>
</li>
<li>
<p>
<strong>codec::raw4</strong>: support for unencapsulated IPv4 (DLT 12) (DLT 228)
</p>
</li>
<li>
<p>
<strong>codec::raw6</strong>: support for unencapsulated IPv6 (DLT 229)
</p>
</li>
<li>
<p>
<strong>codec::slip</strong>: support for slip protocol (DLT 8)
</p>
</li>
<li>
<p>
<strong>codec::sun_nd</strong>: support for Sun ND
</p>
</li>
<li>
<p>
<strong>codec::swipe</strong>: support for Swipe
</p>
</li>
<li>
<p>
<strong>codec::tcp</strong>: support for transmission control protocol
</p>
</li>
<li>
<p>
<strong>codec::teredo</strong>: support for teredo
</p>
</li>
<li>
<p>
<strong>codec::token_ring</strong>: support for token ring decoding
</p>
</li>
<li>
<p>
<strong>codec::trans_bridge</strong>: support for trans-bridging
</p>
</li>
<li>
<p>
<strong>codec::udp</strong>: support for user datagram protocol
</p>
</li>
<li>
<p>
<strong>codec::user</strong>: support for user sessions (DLT 230)
</p>
</li>
<li>
<p>
<strong>codec::vlan</strong>: support for local area network
</p>
</li>
<li>
<p>
<strong>codec::wlan</strong>: support for wireless local area network protocol (DLT 105)
</p>
</li>
<li>
<p>
<strong>inspector::arp_spoof</strong>: detect ARP attacks and anomalies
</p>
</li>
<li>
<p>
<strong>inspector::back_orifice</strong>: back orifice detection
</p>
</li>
<li>
<p>
<strong>inspector::binder</strong>: configure processing based on CIDRs, ports, services, etc.
</p>
</li>
<li>
<p>
<strong>inspector::data_log</strong>: log selected published data to data.log
</p>
</li>
<li>
<p>
<strong>inspector::dns</strong>: dns inspection
</p>
</li>
<li>
<p>
<strong>inspector::dpx</strong>: dynamic inspector example
</p>
</li>
<li>
<p>
<strong>inspector::ftp_client</strong>: FTP inspector client module
</p>
</li>
<li>
<p>
<strong>inspector::ftp_data</strong>: FTP data channel handler
</p>
</li>
<li>
<p>
<strong>inspector::ftp_server</strong>: FTP inspector server module
</p>
</li>
<li>
<p>
<strong>inspector::gtp_inspect</strong>: gtp control channel inspection
</p>
</li>
<li>
<p>
<strong>inspector::http_global</strong>: shared HTTP inspector settings
</p>
</li>
<li>
<p>
<strong>inspector::http_inspect</strong>: main HTTP inspector module
</p>
</li>
<li>
<p>
<strong>inspector::imap</strong>: imap inspection
</p>
</li>
<li>
<p>
<strong>inspector::modbus</strong>: modbus inspection
</p>
</li>
<li>
<p>
<strong>inspector::new_http_inspect</strong>: the new HTTP inspector!
</p>
</li>
<li>
<p>
<strong>inspector::normalizer</strong>: packet scrubbing for inline mode
</p>
</li>
<li>
<p>
<strong>inspector::perf_monitor</strong>: performance monitoring and flow statistics collection
</p>
</li>
<li>
<p>
<strong>inspector::pop</strong>: pop inspection
</p>
</li>
<li>
<p>
<strong>inspector::port_scan</strong>: port scan inspector; also configure port_scan_global
</p>
</li>
<li>
<p>
<strong>inspector::port_scan_global</strong>: shared settings for port_scan inspectors for use with port_scan
</p>
</li>
<li>
<p>
<strong>inspector::rpc_decode</strong>: RPC inspector
</p>
</li>
<li>
<p>
<strong>inspector::sip</strong>: sip inspection
</p>
</li>
<li>
<p>
<strong>inspector::smtp</strong>: smtp inspection
</p>
</li>
<li>
<p>
<strong>inspector::ssh</strong>: ssh inspection
</p>
</li>
<li>
<p>
<strong>inspector::ssl</strong>: ssl inspection
</p>
</li>
<li>
<p>
<strong>inspector::stream</strong>: common flow tracking
</p>
</li>
<li>
<p>
<strong>inspector::stream_file</strong>: stream inspector for file flow tracking and processing
</p>
</li>
<li>
<p>
<strong>inspector::stream_icmp</strong>: stream inspector for ICMP flow tracking
</p>
</li>
<li>
<p>
<strong>inspector::stream_ip</strong>: stream inspector for IP flow tracking and defragmentation
</p>
</li>
<li>
<p>
<strong>inspector::stream_tcp</strong>: stream inspector for TCP flow tracking and stream normalization and reassembly
</p>
</li>
<li>
<p>
<strong>inspector::stream_udp</strong>: stream inspector for UDP flow tracking
</p>
</li>
<li>
<p>
<strong>inspector::stream_user</strong>: stream inspector for user flow tracking and reassembly
</p>
</li>
<li>
<p>
<strong>inspector::telnet</strong>: telnet inspection and normalization
</p>
</li>
<li>
<p>
<strong>inspector::wizard</strong>: inspector that implements port-independent protocol identification
</p>
</li>
<li>
<p>
<strong>ips_action::react</strong>: send response to client and terminate session
</p>
</li>
<li>
<p>
<strong>ips_action::reject</strong>: terminate session with TCP reset or ICMP unreachable
</p>
</li>
<li>
<p>
<strong>ips_action::rewrite</strong>: overwrite packet contents
</p>
</li>
<li>
<p>
<strong>ips_option::ack</strong>: rule option to match on TCP ack numbers
</p>
</li>
<li>
<p>
<strong>ips_option::asn1</strong>: rule option for asn1 detection
</p>
</li>
<li>
<p>
<strong>ips_option::base64_data</strong>: set detection cursor to decoded Base64 data
</p>
</li>
<li>
<p>
<strong>ips_option::base64_decode</strong>: rule option to decode base64 data - must be used with base64_data option
</p>
</li>
<li>
<p>
<strong>ips_option::bufferlen</strong>: rule option to check length of current buffer
</p>
</li>
<li>
<p>
<strong>ips_option::byte_extract</strong>: rule option to convert data to an integer variable
</p>
</li>
<li>
<p>
<strong>ips_option::byte_jump</strong>: rule option to move the detection cursor
</p>
</li>
<li>
<p>
<strong>ips_option::byte_test</strong>: rule option to convert data to integer and compare
</p>
</li>
<li>
<p>
<strong>ips_option::classtype</strong>: general rule option for rule classification
</p>
</li>
<li>
<p>
<strong>ips_option::content</strong>: payload rule option for basic pattern matching
</p>
</li>
<li>
<p>
<strong>ips_option::cvs</strong>: payload rule option for detecting specific attacks
</p>
</li>
<li>
<p>
<strong>ips_option::detection_filter</strong>: rule option to require multiple hits before a rule generates an event
</p>
</li>
<li>
<p>
<strong>ips_option::dsize</strong>: rule option to test payload size
</p>
</li>
<li>
<p>
<strong>ips_option::file_data</strong>: rule option to set detection cursor to file data
</p>
</li>
<li>
<p>
<strong>ips_option::flags</strong>: rule option to test TCP control flags
</p>
</li>
<li>
<p>
<strong>ips_option::flow</strong>: rule option to check session properties
</p>
</li>
<li>
<p>
<strong>ips_option::flowbits</strong>: rule option to set and test arbitrary boolean flags
</p>
</li>
<li>
<p>
<strong>ips_option::fragbits</strong>: rule option to test IP frag flags
</p>
</li>
<li>
<p>
<strong>ips_option::fragoffset</strong>: rule option to test IP frag offset
</p>
</li>
<li>
<p>
<strong>ips_option::gid</strong>: rule option specifying rule generator
</p>
</li>
<li>
<p>
<strong>ips_option::gtp_info</strong>: rule option to check gtp info element
</p>
</li>
<li>
<p>
<strong>ips_option::gtp_type</strong>: rule option to check gtp types
</p>
</li>
<li>
<p>
<strong>ips_option::gtp_version</strong>: rule option to check gtp version
</p>
</li>
<li>
<p>
<strong>ips_option::http_client_body</strong>: rule option to set the detection cursor to the request body
</p>
</li>
<li>
<p>
<strong>ips_option::http_cookie</strong>: rule option to set the detection cursor to the HTTP cookie
</p>
</li>
<li>
<p>
<strong>ips_option::http_header</strong>: rule option to set the detection cursor to the normalized header(s)
</p>
</li>
<li>
<p>
<strong>ips_option::http_method</strong>: rule option to set the detection cursor to the HTTP request method
</p>
</li>
<li>
<p>
<strong>ips_option::http_raw_cookie</strong>: rule option to set the detection cursor to the unnormalized cookie
</p>
</li>
<li>
<p>
<strong>ips_option::http_raw_header</strong>: rule option to set the detection cursor to the unnormalized headers
</p>
</li>
<li>
<p>
<strong>ips_option::http_raw_uri</strong>: rule option to set the detection cursor to the unnormalized URI
</p>
</li>
<li>
<p>
<strong>ips_option::http_stat_code</strong>: rule option to set the detection cursor to the HTTP status code
</p>
</li>
<li>
<p>
<strong>ips_option::http_stat_msg</strong>: rule option to set the detection cursor to the HTTP status message
</p>
</li>
<li>
<p>
<strong>ips_option::http_uri</strong>: rule option to set the detection cursor to the normalized URI buffer
</p>
</li>
<li>
<p>
<strong>ips_option::icmp_id</strong>: rule option to check ICMP ID
</p>
</li>
<li>
<p>
<strong>ips_option::icmp_seq</strong>: rule option to check ICMP sequence number
</p>
</li>
<li>
<p>
<strong>ips_option::icode</strong>: rule option to check ICMP code
</p>
</li>
<li>
<p>
<strong>ips_option::id</strong>: rule option to check the IP ID field
</p>
</li>
<li>
<p>
<strong>ips_option::ip_proto</strong>: rule option to check the IP protocol number
</p>
</li>
<li>
<p>
<strong>ips_option::ipopts</strong>: rule option to check for IP options
</p>
</li>
<li>
<p>
<strong>ips_option::isdataat</strong>: rule option to check for the presence of payload data
</p>
</li>
<li>
<p>
<strong>ips_option::itype</strong>: rule option to check ICMP type
</p>
</li>
<li>
<p>
<strong>ips_option::md5</strong>: payload rule option for hash matching
</p>
</li>
<li>
<p>
<strong>ips_option::metadata</strong>: rule option for conveying arbitrary name, value data within the rule text
</p>
</li>
<li>
<p>
<strong>ips_option::modbus_data</strong>: rule option to set cursor to modbus data
</p>
</li>
<li>
<p>
<strong>ips_option::modbus_func</strong>: rule option to check modbus function code
</p>
</li>
<li>
<p>
<strong>ips_option::modbus_unit</strong>: rule option to check modbus unit ID
</p>
</li>
<li>
<p>
<strong>ips_option::msg</strong>: rule option summarizing rule purpose output with events
</p>
</li>
<li>
<p>
<strong>ips_option::pcre</strong>: rule option for matching payload data with regex
</p>
</li>
<li>
<p>
<strong>ips_option::pkt_data</strong>: rule option to set the detection cursor to the normalized packet data
</p>
</li>
<li>
<p>
<strong>ips_option::pkt_num</strong>: alert on raw packet number
</p>
</li>
<li>
<p>
<strong>ips_option::priority</strong>: rule option for prioritizing events
</p>
</li>
<li>
<p>
<strong>ips_option::raw_data</strong>: rule option to set the detection cursor to the raw packet data
</p>
</li>
<li>
<p>
<strong>ips_option::reference</strong>: rule option to indicate relevant attack identification system
</p>
</li>
<li>
<p>
<strong>ips_option::rem</strong>: rule option to convey an arbitrary comment in the rule body
</p>
</li>
<li>
<p>
<strong>ips_option::replace</strong>: rule option to overwrite payload data; use with rewrite action
</p>
</li>
<li>
<p>
<strong>ips_option::rev</strong>: rule option to indicate current revision of signature
</p>
</li>
<li>
<p>
<strong>ips_option::rpc</strong>: rule option to check SUNRPC CALL parameters
</p>
</li>
<li>
<p>
<strong>ips_option::seq</strong>: rule option to check TCP sequence number
</p>
</li>
<li>
<p>
<strong>ips_option::session</strong>: rule option to check user data from TCP sessions
</p>
</li>
<li>
<p>
<strong>ips_option::sha256</strong>: payload rule option for hash matching
</p>
</li>
<li>
<p>
<strong>ips_option::sha512</strong>: payload rule option for hash matching
</p>
</li>
<li>
<p>
<strong>ips_option::sid</strong>: rule option to indicate signature number
</p>
</li>
<li>
<p>
<strong>ips_option::sip_body</strong>: rule option to set the detection cursor to the request body
</p>
</li>
<li>
<p>
<strong>ips_option::sip_header</strong>: rule option to set the detection cursor to the SIP header buffer
</p>
</li>
<li>
<p>
<strong>ips_option::sip_method</strong>: detection option for sip stat code
</p>
</li>
<li>
<p>
<strong>ips_option::sip_stat_code</strong>: detection option for sip stat code
</p>
</li>
<li>
<p>
<strong>ips_option::so</strong>: rule option to call custom eval function
</p>
</li>
<li>
<p>
<strong>ips_option::soid</strong>: rule option to specify a shared object rule ID
</p>
</li>
<li>
<p>
<strong>ips_option::ssl_state</strong>: detection option for ssl state
</p>
</li>
<li>
<p>
<strong>ips_option::ssl_version</strong>: detection option for ssl version
</p>
</li>
<li>
<p>
<strong>ips_option::stream_reassemble</strong>: detection option for stream reassembly control
</p>
</li>
<li>
<p>
<strong>ips_option::stream_size</strong>: detection option for stream size checking
</p>
</li>
<li>
<p>
<strong>ips_option::tag</strong>: rule option to log additional packets
</p>
</li>
<li>
<p>
<strong>ips_option::tos</strong>: rule option to check type of service field
</p>
</li>
<li>
<p>
<strong>ips_option::ttl</strong>: rule option to check time to live field
</p>
</li>
<li>
<p>
<strong>ips_option::urg</strong>: detection for TCP urgent pointer
</p>
</li>
<li>
<p>
<strong>ips_option::window</strong>: rule option to check TCP window field
</p>
</li>
<li>
<p>
<strong>logger::alert_csv</strong>: output event in csv format
</p>
</li>
<li>
<p>
<strong>logger::alert_ex</strong>: output gid:sid:rev for alerts
</p>
</li>
<li>
<p>
<strong>logger::alert_fast</strong>: output event with brief text format
</p>
</li>
<li>
<p>
<strong>logger::alert_full</strong>: output event with full packet dump
</p>
</li>
<li>
<p>
<strong>logger::alert_syslog</strong>: output event to syslog
</p>
</li>
<li>
<p>
<strong>logger::alert_unixsock</strong>: output event over unix socket
</p>
</li>
<li>
<p>
<strong>logger::log_codecs</strong>: log protocols in packet by layer
</p>
</li>
<li>
<p>
<strong>logger::log_hext</strong>: output payload suitable for daq hext
</p>
</li>
<li>
<p>
<strong>logger::log_null</strong>: disable logging of packets
</p>
</li>
<li>
<p>
<strong>logger::log_pcap</strong>: log packet in pcap format
</p>
</li>
<li>
<p>
<strong>logger::unified2</strong>: output event and packet in unified2 format file
</p>
</li>
<li>
<p>
<strong>piglet::pp_codec</strong>: Codec piglet
</p>
</li>
<li>
<p>
<strong>piglet::pp_inspector</strong>: Inspector piglet
</p>
</li>
<li>
<p>
<strong>piglet::pp_ips_action</strong>: Ips action piglet
</p>
</li>
<li>
<p>
<strong>piglet::pp_ips_option</strong>: Ips option piglet
</p>
</li>
<li>
<p>
<strong>piglet::pp_logger</strong>: Logger piglet
</p>
</li>
<li>
<p>
<strong>piglet::pp_search_engine</strong>: Search engine piglet
</p>
</li>
<li>
<p>
<strong>piglet::pp_so_rule</strong>: SO rule piglet
</p>
</li>
<li>
<p>
<strong>piglet::pp_test</strong>: Test piglet
</p>
</li>
<li>
<p>
<strong>search_engine::ac_banded</strong>: Aho-Corasick Banded (high memory, moderate performance)
</p>
</li>
<li>
<p>
<strong>search_engine::ac_bnfa</strong>: Aho-Corasick Binary NFA (low memory, high performance) MPSE
</p>
</li>
<li>
<p>
<strong>search_engine::ac_bnfa_q</strong>: Aho-Corasick Binary NFA (low memory, high performance) with queued events
</p>
</li>
<li>
<p>
<strong>search_engine::ac_full</strong>: Aho-Corasick Full (high memory, best performance), implements search_all()
</p>
</li>
<li>
<p>
<strong>search_engine::ac_full_q</strong>: Aho-Corasick Full (high memory, best performance) with queued events, implements search_all()
</p>
</li>
<li>
<p>
<strong>search_engine::ac_sparse</strong>: Aho-Corasick Sparse (high memory, moderate performance) MPSE
</p>
</li>
<li>
<p>
<strong>search_engine::ac_sparse_bands</strong>: Aho-Corasick Sparse-Banded (high memory, moderate performance) MPSE
</p>
</li>
<li>
<p>
<strong>search_engine::ac_std</strong>: Aho-Corasick Full (high memory, best performance) MPSE
</p>
</li>
<li>
<p>
<strong>search_engine::lowmem</strong>: Keyword Trie (low memory, moderate performance) MPSE
</p>
</li>
<li>
<p>
<strong>search_engine::lowmem_q</strong>: Keyword Trie (low memory, moderate performance) MPSE with queued events
</p>
</li>
<li>
<p>
<strong>so_rule::3|18758</strong>: SO rule example
</p>
</li>
</ul></div>
</div>
</div>
</div>
</div>
</div>
<div id="footnotes"><hr /></div>
<div id="footer">
<div id="footer-text">
Last updated 2015-11-05 18:33:45 EST
</div>
</div>
</body>
</html>
